CVE-2022-2962

2022-09-1320:15:09

Google

osv.dev

cve-2022-2962

qemu

tulip

dma reentrancy

mmio

denial of service

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

18.0%

JSON

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn’t check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CPENameOperatorVersion
qemueq2.11.0-rc4
qemueq2.8.0-rc4
qemueq0.1.3
qemueq4.1.0-rc2
qemueq5.0.0-rc0
qemueq5.1.0-rc0
qemueq2.11.0-rc0
qemueq6.0.0-rc1
qemueq1.4.0-rc0
qemueq1.6.0-rc2