CVE-2019-20382 — Missing Release of Memory after Effective Lifetime in Qemu

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-772 — Missing Release of Resource after Effective Lifetime12 documents7 sources

Severity

3.5LOWNVD

OSV5.8

EPSS

0.0%

top 86.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Canonical Ubuntu Linux +2 more

Timeline

PublishedMar 5

Latest updateNov 8

Description

QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.1 | Impact: 1.4

Affected Packages5 packages

▶debiandebian/qemu< qemu 1:4.2-1 (bookworm)

▶Debianqemu/qemu< 1:4.2-1+3

▶Ubuntuqemu/qemu< 1:2.5+dfsg-5ubuntu10.44+8

▶NVDqemu/qemu4.1.0

▶NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 16.04, 18.04, 19.10, 20.04

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2024-11-08

▶

GHSA

GHSA-gg7h-8w45-pgpg: QEMU 4↗2022-05-24

▶

OSV

qemu vulnerabilities↗2020-05-21

▶

OSV

CVE-2019-20382: QEMU 4↗2020-03-05

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2024-11-08

▶

Ubuntu

QEMU vulnerabilities↗2020-05-21

▶

Red Hat

QEMU: vnc: memory leakage upon disconnect↗2019-09-17

▶

Debian

CVE-2019-20382: qemu - QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a...↗2019

▶

💬Community

Bugzilla

CVE-2019-20382 QEMU: vnc: memory leakage upon disconnect↗2020-03-05

▶

Bugzilla

CVE-2019-20382 qemu: vnc: memory leakage upon disconnect [fedora-all]↗2020-03-05

▶

Bugzilla

CVE-2019-20382 virt:8.1/qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-av-8]↗2020-01-07

▶