CVE-2021-3750

02.05.2022, 19:15

A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Affected Products (NVD)

Vendor	Product	Version
qemu	qemu	𝑥 < 7.0.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	8.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

qemu

bookworm	1:7.2+dfsg-7+deb12u7 fixed
bullseye	ignored
bullseye (security)	vulnerable
buster	postponed
sid	1:9.1.1+ds-2 fixed
stretch	postponed
trixie	1:9.1.1+ds-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

qemu

bionic	Fixed 1:2.11+dfsg-1ubuntu7.41 released
focal	Fixed 1:4.2-3ubuntu6.24 released
hirsute	ignored
impish	ignored
jammy	Fixed 1:6.2+dfsg-2ubuntu6.6 released
kinetic	Fixed 1:7.0+dfsg-7ubuntu1 released
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

qemu

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-SLOF

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-accel-tcg-x86

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-arm

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-audio-alsa

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-audio-oss

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed

qemu-audio-pa

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-audio-sdl

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed

qemu-audio-spice

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-block-curl

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-block-iscsi

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-block-rbd

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-block-ssh

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-chardev-baum

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-chardev-spice

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-guest-agent

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-display-qxl

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-display-virtio-gpu

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-display-virtio-gpu-pci

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-display-virtio-vga

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-s390x-virtio-gpu-ccw

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-usb-host

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-hw-usb-redirect

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-ksm

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-kvm

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-lang

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-microvm

suse enterprise server 15 SP2

4.2.1-150200.79.1

fixed

qemu-ppc

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-s390

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed

qemu-s390x

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-sgabios-8

suse enterprise sap 12 SP5	72.1 fixed
suse enterprise sap 15 SP4	150400.37.23.1 fixed
suse enterprise server 12 SP3	43.68.1 fixed
suse enterprise server 12 SP5	72.1 fixed
suse enterprise server 15 SP1	150100.80.51.5 fixed
suse enterprise server 15 SP2	150200.79.1 fixed
suse enterprise server 15 SP3	150300.127.3 fixed
suse enterprise server 15 SP4	150400.37.23.1 fixed

qemu-skiboot

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-tools

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-ui-curses

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-ui-gtk

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-ui-opengl

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-ui-sdl

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed

qemu-ui-spice-app

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-ui-spice-core

suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

qemu-x86

suse enterprise sap 12 SP5	3.1.1.1-72.1 fixed
suse enterprise sap 15 SP4	6.2.0-150400.37.23.1 fixed
suse enterprise server 12 SP3	2.9.1-43.68.1 fixed
suse enterprise server 12 SP5	3.1.1.1-72.1 fixed
suse enterprise server 15 SP1	3.1.1.1-150100.80.51.5 fixed
suse enterprise server 15 SP2	4.2.1-150200.79.1 fixed
suse enterprise server 15 SP3	5.2.0-150300.127.3 fixed
suse enterprise server 15 SP4	6.2.0-150400.37.23.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

qemu-guest-agent

RHEL 9

17:7.0.0-13.el9

fixed

qemu-img

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-audio-pa

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-block-curl

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-block-rbd

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-common

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-core

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-gpu

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-gpu-ccw

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-gpu-gl

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-gpu-pci

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-gpu-pci-gl

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-vga

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-display-virtio-vga-gl

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-usb-host

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-device-usb-redirect

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-docs

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-tools

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-ui-egl-headless

RHEL 9

17:7.0.0-13.el9

fixed

qemu-kvm-ui-opengl

RHEL 9

17:7.0.0-13.el9

fixed

qemu-pr-helper

RHEL 9

17:7.0.0-13.el9

fixed

Known Exploits!

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1999073

https://gitlab.com/qemu-project/qemu/-/issues/541

https://gitlab.com/qemu-project/qemu/-/issues/556

https://security.gentoo.org/glsa/202208-27

https://security.netapp.com/advisory/ntap-20220624-0003/

https://bugzilla.redhat.com/show_bug.cgi?id=1999073

https://gitlab.com/qemu-project/qemu/-/issues/541

https://gitlab.com/qemu-project/qemu/-/issues/556

https://security.gentoo.org/glsa/202208-27

https://security.netapp.com/advisory/ntap-20220624-0003/