CVE-2021-3735

EUVD-2021-27011
A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
qemuqemu
6.1.0:rc4
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bookworm
postponed
bullseye
postponed
bullseye (security)
vulnerable
buster
postponed
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
bionic
deferred
focal
deferred
hirsute
ignored
impish
ignored
jammy
deferred
kinetic
ignored
lunar
ignored
mantic
ignored
noble
deferred
trusty
deferred
xenial
deferred
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2021-3735
https://bugzilla.redhat.com/show_bug.cgi?id=1997184
https://security-tracker.debian.org/tracker/CVE-2021-3735
https://access.redhat.com/security/cve/CVE-2021-3735
https://bugzilla.redhat.com/show_bug.cgi?id=1997184
https://security-tracker.debian.org/tracker/CVE-2021-3735
https://security.netapp.com/advisory/ntap-20250228-0009/