CVE-2022-26354 — Missing Release of Resource after Effective Lifetime in Qemu

CWE-772 — Missing Release of Resource after Effective Lifetime8 documents7 sources

Severity

3.2LOWNVD

OSV6.1

EPSS

0.0%

top 98.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Debian Linux +9 more

Timeline

PublishedMar 16

Latest updateJun 21

Description

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:LExploitability: 1.5 | Impact: 1.4

Affected Packages13 packages

▶debiandebian/qemu< qemu 1:7.0+dfsg-1 (bookworm)

▶Debianqemu/qemu< 1:5.2+dfsg-11+deb11u2+3

▶Ubuntuqemu/qemu< 1:2.11+dfsg-1ubuntu7.40+2

▶NVDqemu/qemu6.2.0

▶msrcmsrc/cbl2_qemu_6.2.0-2_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2022-06-21

▶

GHSA

GHSA-jmf2-6wvc-36fj: A flaw was found in the vhost-vsock device of QEMU↗2022-03-17

▶

OSV

CVE-2022-26354: A flaw was found in the vhost-vsock device of QEMU↗2022-03-16

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2022-06-21

▶

Microsoft

A flaw was found in the vhost-vsock device of QEMU. In case of error an invalid element was not detached from the virtqueue before freeing its memory leading to memory leakage and other unexpected res↗2022-03-08

▶

Red Hat

QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak↗2022-02-28

▶

Debian

CVE-2022-26354: qemu - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid...↗2022

▶