CVE-2017-9374 — Missing Release of Memory after Effective Lifetime in Qemu

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-772 — Missing Release of Resource after Effective Lifetime11 documents7 sources

Severity

5.5MEDIUMNVD

OSV7.8

EPSS

0.1%

top 72.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedJun 16

Latest updateMay 13

Description

Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/qemu< qemu 1:2.8+dfsg-7 (bookworm)

▶Debianqemu/qemu< 1:2.8+dfsg-7+3

▶Ubuntuqemu/qemu< 2.0.0+dfsg-2ubuntu1.36+3

▶NVDqemu/qemu2.8.1.1

Patches

Patch: www.openwall.com ↗Patch: bugzilla.redhat.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xgr-qhgc-xhwh: Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of serv↗2022-05-13

▶

OSV

qemu regression↗2017-09-20

▶

OSV

qemu vulnerabilities↗2017-09-13

▶

OSV

CVE-2017-9374: Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of serv↗2017-06-16

▶

📋Vendor Advisories

Ubuntu

QEMU regression↗2017-09-20

▶

Ubuntu

QEMU vulnerabilities↗2017-09-13

▶

Red Hat

Qemu: usb: ehci host memory leakage during hotunplug↗2017-02-08

▶

Debian

CVE-2017-9374: qemu - Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation sup...↗2017

▶

💬Community

Bugzilla

CVE-2017-9374 Qemu: usb: ehci host memory leakage during hotunplug [fedora-all]↗2017-06-06

▶

Bugzilla

CVE-2017-9374 Qemu: usb: ehci host memory leakage during hotunplug↗2017-06-06

▶