CVE-2019-9824 — Use of Uninitialized Resource in Qemu

CWE-908 — Use of Uninitialized Resource CWE-200 — Sensitive Information Exposure9 documents7 sources

Severity

5.5MEDIUMNVD

OSV5.6

EPSS

0.1%

top 71.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Debian Slirp4netns

Timeline

PublishedJun 3

Latest updateMay 24

Description

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/slirp4netns< qemu 1:3.1+dfsg-6 (bookworm)

▶debiandebian/qemu< qemu 1:3.1+dfsg-6 (bookworm)

▶Debianqemu/qemu< 1:3.1+dfsg-6+3

▶Ubuntuqemu/qemu< 2.0.0+dfsg-2ubuntu1.46+2

▶NVDqemu/qemu3.0.0

Patches

Patch: lists.gnu.org ↗Patch: lists.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-hx33-mww2-6mf5: tcp_emu in slirp/tcp_subr↗2022-05-24

▶

OSV

CVE-2019-9824: tcp_emu in slirp/tcp_subr↗2019-06-03

▶

OSV

qemu update↗2019-05-14

▶

📋Vendor Advisories

Ubuntu

QEMU update↗2019-05-14

▶

Red Hat

QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables↗2019-03-01

▶

Debian

CVE-2019-9824: qemu - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninit...↗2019

▶

💬Community

Bugzilla

CVE-2019-9824 qemu: Slirp: information leakage in tcp_emu() due to uninitialized stack variables [fedora-all]↗2019-03-18

▶

Bugzilla

CVE-2019-9824 QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables↗2019-02-19

▶