CVE-2021-3545 — Use of Uninitialized Resource in Qemu

CWE-908 — Use of Uninitialized Resource CWE-200 — Sensitive Information Exposure10 documents7 sources

Severity

6.5MEDIUMNVD

OSV2.3

EPSS

0.1%

top 69.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Debian Linux +1 more

Timeline

PublishedJun 2

Latest updateMay 24

Description

An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages6 packages

▶debiandebian/qemu< qemu 1:6.1+dfsg-1 (bookworm)

▶Debianqemu/qemu< 1:5.2+dfsg-11+deb11u1+3

▶Ubuntuqemu/qemu< 1:2.11+dfsg-1ubuntu7.37+3

▶NVDqemu/qemu6.0.0

▶CVEListV5qemu/qemuAll QEMU versions up to and including 6.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

GHSA

GHSA-gx4q-vxgq-4299: An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6↗2022-05-24

▶

OSV

qemu vulnerabilities↗2022-02-28

▶

OSV

qemu vulnerabilities↗2021-07-15

▶

OSV

CVE-2021-3545: An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6↗2021-06-02

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2022-02-28

▶

Ubuntu

QEMU vulnerabilities↗2021-07-15

▶

Microsoft

▶

Red Hat

QEMU: vhost-user-gpu: information disclosure due to uninitialized memory read↗2021-05-04

▶

Debian

CVE-2021-3545: qemu - An information disclosure vulnerability was found in the virtio vhost-user GPU d...↗2021

▶