CVE-2021-3544Missing Release of Memory after Effective Lifetime in Qemu

CWE-401Missing Release of Memory after Effective Lifetime10 documents7 sources
Severity
6.5MEDIUMNVD
OSV2.3
EPSS
0.0%
top 90.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
QemuDebian QemuDebian Linux+1 more
Timeline
PublishedJun 2
Latest updateMay 24

Description

Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages6 packages

debiandebian/qemu< qemu 1:6.1+dfsg-1 (bookworm)
Debianqemu/qemu< 1:5.2+dfsg-11+deb11u1+3
Ubuntuqemu/qemu< 1:2.11+dfsg-1ubuntu7.37+3
NVDqemu/qemu6.0.0
CVEListV5qemu/qemuAll QEMU versions up to and including 6.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

4
GHSA
GHSA-vx69-74f2-j536: Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 62022-05-24
OSV
qemu vulnerabilities2022-02-28
OSV
qemu vulnerabilities2021-07-15
OSV
CVE-2021-3544: Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 62021-06-02

📋Vendor Advisories

5
Ubuntu
QEMU vulnerabilities2022-02-28
Ubuntu
QEMU vulnerabilities2021-07-15
Microsoft
Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhos2021-06-08
Red Hat
QEMU: vhost-user-gpu: multiple memory leaks2021-05-04
Debian
CVE-2021-3544: qemu - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-...2021