CVE-2022-26353 — Missing Release of Resource after Effective Lifetime in Qemu

CWE-772 — Missing Release of Resource after Effective Lifetime8 documents7 sources

Severity

7.5HIGHNVD

OSV6.1

EPSS

0.2%

top 52.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Debian Linux +5 more

Timeline

PublishedMar 16

Latest updateJun 21

Description

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

▶debiandebian/qemu< qemu 1:7.0+dfsg-1 (bookworm)

▶Debianqemu/qemu< 1:5.2+dfsg-11+deb11u2+3

▶Ubuntuqemu/qemu< 1:2.11+dfsg-1ubuntu7.40+2

▶NVDqemu/qemu6.2.0

▶msrcmsrc/azl3_qemu_6.2.0-18_on_azure_linux_3.0

Also affects: Debian Linux 11.0

Patches

Patch: gitlab.com ↗Patch: lists.nongnu.org ↗Patch: gitlab.com ↗

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2022-06-21

▶

GHSA

GHSA-xrwp-4qvv-59wr: A flaw was found in the virtio-net device of QEMU↗2022-03-17

▶

OSV

CVE-2022-26353: A flaw was found in the virtio-net device of QEMU↗2022-03-16

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2022-06-21

▶

Microsoft

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748 which forgot to unmap the cached virtqueue elements on error leading to memory ↗2022-03-08

▶

Red Hat

QEMU: virtio-net: map leaking on error during receive↗2022-03-08

▶

Debian

CVE-2022-26353: qemu - A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently i...↗2022

▶