CVE-2017-9373 — Missing Release of Memory after Effective Lifetime in Qemu

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-772 — Missing Release of Resource after Effective Lifetime10 documents7 sources

Severity

5.5MEDIUMNVD

OSV7.8

EPSS

0.1%

top 72.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Debian Linux

Timeline

PublishedJun 16

Latest updateMay 13

Description

Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/qemu< qemu 1:2.8+dfsg-7 (bookworm)

▶Debianqemu/qemu< 1:2.8+dfsg-7+3

▶Ubuntuqemu/qemu< 2.0.0+dfsg-2ubuntu1.36+3

▶NVDqemu/qemu2.8.1.1+1

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: www.openwall.com ↗Patch: bugzilla.redhat.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-48xx-8rq2-ffh3: Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of serv↗2022-05-13

▶

OSV

qemu regression↗2017-09-20

▶

OSV

qemu vulnerabilities↗2017-09-13

▶

OSV

CVE-2017-9373: Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of serv↗2017-06-16

▶

📋Vendor Advisories

Ubuntu

QEMU regression↗2017-09-20

▶

Ubuntu

QEMU vulnerabilities↗2017-09-13

▶

Red Hat

Qemu: ide: ahci host memory leakage during hotunplug↗2017-03-16

▶

Debian

CVE-2017-9373: qemu - Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation sup...↗2017

▶

💬Community

Bugzilla

CVE-2017-9373 Qemu: ide: ahci host memory leakage during hotunplug↗2017-06-02

▶