cbcvebase.
CVE-2019-14378
published 2019-07-29

CVE-2019-14378: ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.

PriorityP268high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.66%
96.6th percentile
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianqemu< qemu 1:4.1-1 (bookworm)qemu 1:4.1-1 (bookworm)
debianslirp4netns< qemu 1:4.1-1 (bookworm)qemu 1:4.1-1 (bookworm)
libslirp_projectlibslirp
qemuqemu>= 0 < 1:4.1-11:4.1-1
qemuqemu>= 0 < 1:4.1-11:4.1-1
qemuqemu>= 0 < 1:4.1-11:4.1-1
qemuqemu>= 0 < 1:4.1-11:4.1-1
qemuqemu>= 0 < 1:2.5+dfsg-5ubuntu10.421:2.5+dfsg-5ubuntu10.42
qemuqemu>= 0 < 1:2.11+dfsg-1ubuntu7.201:2.11+dfsg-1ubuntu7.20
qemuqemu>= 0 < 2.0.0+dfsg-2ubuntu1.472.0.0+dfsg-2ubuntu1.47

Detection & IOCsextracted from sources · hover to see the quote

pathip_input.c
  • The vulnerability triggers in ip_reass() when the first IP fragment is larger than the m->m_dat[] buffer. Monitor for oversized first IP fragments (IP_MF flag set, fragment offset 0) with total length exceeding normal MTU bounds sent toward QEMU SLiRP interface (guest-to-host direction, dst 10.0.2.2).
  • The exploit uses a minimum MTU threshold of 12000 bytes and crafts oversized fragmented ICMP packets. Detect fragmented ICMP packets with abnormally large payload sizes (>12000 bytes reconstructed) originating from within a QEMU guest on the SLiRP network.
  • The exploit sends raw Ethernet frames with crafted IP fragmentation sequences (IP_MF flag) using IPPROTO_ICMP. Detect sequences of fragmented ICMP packets with the same IP ID from a single source in rapid succession, particularly where the first fragment's tot_len field encodes a negative or anomalous value.
  • The exploit targets the QEMU SLiRP default gateway address 10.0.2.2 from the guest address 10.0.2.15. Alert on high-rate fragmented IP traffic from 10.0.2.15 to 10.0.2.2 within a QEMU guest network namespace.
  • The exploit uses a crafted ICMP echo reply with checksum 0xffff as a side-channel to leak heap/code pointers. Detect ICMP echo replies with checksum value 0xffff on the SLiRP interface as a potential indicator of exploitation in progress.
  • ·The vulnerability only affects QEMU instances using SLiRP (KVM user-mode networking). Deployments using other network backends (e.g., virtio with TAP) are not affected. Red Hat OpenStack Platform is explicitly noted as not vulnerable because it does not use SLIRP networking.
  • ·The exploit PoC hardcodes QEMU binary symbol offsets (e.g., SYSTEM_PLT, QEMU_CLOCK, MAIN_LOOP_TLG). These offsets are build-specific and will vary across QEMU versions and distributions, limiting direct reuse of the exploit without adaptation.
  • ·There is no external mitigation available to prevent this out-of-bounds heap memory access; patching to libslirp >= 4.1-1 (commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210) is the only fix.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu3.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.