CVE-2022-2962Uncontrolled Resource Consumption in Qemu

CWE-400Uncontrolled Resource ConsumptionCWE-662Improper SynchronizationCWE-787Out-of-bounds Write8 documents7 sources
Severity
7.8HIGHNVD
OSV8.5
EPSS
0.0%
top 91.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
QemuDebian QemuMsrc Azl3 Qemu 6.2.0-18 ON Azure Linux 3.0+8 more
Timeline
PublishedSep 13
Latest updateDec 12

Description

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages14 packages

debiandebian/qemu< qemu 1:7.1+dfsg-2 (bookworm)
Debianqemu/qemu< 1:7.1+dfsg-2+2
Ubuntuqemu/qemu< 1:2.11+dfsg-1ubuntu7.41+4
NVDqemu/qemu4.2.07.1.0
CVEListV5qemu/qemuWill be fixed in QEMU 7.2.0-rc0

Patches

Patch: gitlab.comPatch: gitlab.com

🔴Vulnerability Details

3
OSV
qemu vulnerabilities2022-12-12
GHSA
GHSA-wmwv-5vwp-c54w: A DMA reentrancy issue was found in the Tulip device emulation in QEMU2022-09-14
OSV
CVE-2022-2962: A DMA reentrancy issue was found in the Tulip device emulation in QEMU2022-09-13

📋Vendor Advisories

4
Ubuntu
QEMU vulnerabilities2022-12-12
Microsoft
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame it doesn't check whether the destination address is2022-09-13
Red Hat
QEMU: tulip: DMA reentrancy issue leads to stack or heap overflow2022-08-23
Debian
CVE-2022-2962: qemu - A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tul...2022