CVE Vulnerability

CVE-2022-4172

An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2 / Impact : 4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://gitlab.com/qemu-project/qemu/-/commit/defb7098 Patch Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/1268 Exploit Issue Tracking
https://lore.kernel.org/qemu-devel/20221024154233.1043347-1-lk@c--e.de/ Patch Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7J5IRXJYLELW7D43A75LOWRUE5EU54O/ Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20230127-0013/ Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:qemu:qemu:7.0.0:-:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Information

Published : 2022-11-29 06:15

Updated : 2023-02-01 04:02

NVD link : CVE-2022-4172

Mitre link : CVE-2022-4172

Products Affected
No products.
CWE
CWE-120

CWE-190