CVE-2021-20196 — NULL Pointer Dereference in Qemu

CWE-476 — NULL Pointer Dereference7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 88.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Debian Linux

Timeline

PublishedMay 26

Latest updateMay 24

Description

A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages5 packages

▶debiandebian/qemu< qemu 1:6.2+dfsg-1 (bookworm)

▶Debianqemu/qemu< 1:5.2+dfsg-11+deb11u3+3

▶Ubuntuqemu/qemu< 1:2.11+dfsg-1ubuntu7.39+1

▶CVEListV5qemu/qemuvulnerable up to (including) qemu 5.2.0

▶NVDqemu/qemu5.2.0

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: bugs.launchpad.net ↗Patch: www.openwall.com ↗Patch: bugs.launchpad.net ↗

🔴Vulnerability Details

GHSA

GHSA-ggpp-fxg5-wp87: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU↗2022-05-24

▶

OSV

qemu vulnerabilities↗2022-02-28

▶

OSV

CVE-2021-20196: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU↗2021-05-26

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2022-02-28

▶

Red Hat

QEMU: block: fdc: null pointer dereference may lead to guest crash↗2021-01-23

▶

Debian

CVE-2021-20196: qemu - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. T...↗2021

▶