CVE-2019-20382
First published: Tue Sep 17 2019(Updated: )
A memory leakage flaw was found in the way the VNC display driver of QEMU handled the connection disconnect when ZRLE and Tight encoding are enabled. Two VncState objects are created, and one allocates memory for the Zlib's data object. This allocated memory is not freed upon disconnection, resulting in a memory leak. An attacker able to connect to the VNC server could use this flaw to leak host memory, leading to a potential denial of service.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/qemu-kvm | <10:1.5.3-175.el7 | 10:1.5.3-175.el7 |
| redhat/qemu-kvm-ma | <10:2.12.0-48.el7 | 10:2.12.0-48.el7 |
| redhat/qemu-kvm-rhev | <10:2.12.0-48.el7_9.1 | 10:2.12.0-48.el7_9.1 |
| redhat/qemu-kvm-rhev | <10:2.12.0-18.el7_6.12 | 10:2.12.0-18.el7_6.12 |
| redhat/qemu-kvm-rhev | <10:2.12.0-48.el7 | 10:2.12.0-48.el7 |
| redhat/qemu | <4.2.0 | 4.2.0 |
| debian/qemu | 1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u12 1:9.2.0+ds-2 1:9.2.0+ds-5 | |
| QEMU KVM | =4.1.0 | |
| openSUSE | =15.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.10 | |
| Ubuntu Linux | =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-20382 https://nvd.nist.gov/vuln/detail/CVE-2019-20382 https://www.openwall.com/lists/oss-security/2020/03/05/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1810390
- https://access.redhat.com/errata/RHSA-2020:3906
- https://access.redhat.com/errata/RHSA-2020:3907
- https://access.redhat.com/errata/RHSA-2020:2774
- https://access.redhat.com/errata/RHSA-2020:4167
- https://access.redhat.com/errata/RHSA-2020:3267
- https://access.redhat.com/security/cve/cve-2019-20382
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html
- http://www.openwall.com/lists/oss-security/2020/03/05/1
- https://git.qemu.org/?p=qemu.git;a=commit;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
- https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html
- https://usn.ubuntu.com/4372-1/
- https://www.debian.org/security/2020/dsa-4665
- https://launchpad.net/bugs/cve/CVE-2019-20382
- https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1810391
- https://www.openwall.com/lists/oss-security/2020/03/05/1
- https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
- https://security-tracker.debian.org/tracker/CVE-2019-20382
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20382
- https://nvd.nist.gov/vuln/detail/CVE-2019-20382
- https://ubuntu.com/security/CVE-2019-20382
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-20382?
CVE-2019-20382 is a vulnerability found in QEMU 4.1.0 that leads to a memory leak in the VNC display driver when ZRLE and Tight encoding are enabled.
What is the severity of CVE-2019-20382?
The severity of CVE-2019-20382 is low, with a CVSS score of 3.5.
How can I fix CVE-2019-20382?
To fix CVE-2019-20382, you should update to QEMU version 4.2.0 or later.
Where can I find more information about CVE-2019-20382?
You can find more information about CVE-2019-20382 in the references provided: [link1], [link2], [link3].
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-20382
- agent/software-canonical-lookup
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/event
- agent/description
- agent/trending
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/qemu
- canonical/qemu kvm
- version/qemu kvm/4.1.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.10
- version/ubuntu linux/20.04