CVE-2021-3735

A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
qemuqemu
6.1.0:rc4
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bullseye
postponed
bookworm
postponed
buster
postponed
bullseye (security)
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
noble
deferred
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
deferred
impish
ignored
hirsute
ignored
focal
deferred
bionic
deferred
xenial
deferred
trusty
deferred
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2021-3735
https://bugzilla.redhat.com/show_bug.cgi?id=1997184
https://security-tracker.debian.org/tracker/CVE-2021-3735
https://access.redhat.com/security/cve/CVE-2021-3735
https://bugzilla.redhat.com/show_bug.cgi?id=1997184
https://security-tracker.debian.org/tracker/CVE-2021-3735
https://security.netapp.com/advisory/ntap-20250228-0009/