First published: Thu Feb 18 2021(Updated: )
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
QEMU qemu | <6.2.0 | |
Fedoraproject Fedora | =33 | |
Redhat Openstack Platform | =10.0 | |
Redhat Openstack Platform | =13.0 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
Redhat Enterprise Linux For Power Little Endian | =8.0 | |
Redhat Codeready Linux Builder | ||
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
Redhat Enterprise Linux For Power Little Endian | =8.0 | |
Debian Debian Linux | =10.0 | |
All of | ||
Redhat Codeready Linux Builder | ||
Any of | ||
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
Redhat Enterprise Linux For Power Little Endian | =8.0 | |
debian/qemu | 1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u7 1:9.2.0+ds-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-20257 is an infinite loop flaw in the e1000 NIC emulator of QEMU, which allows a guest to consume CPU cycles on the host, resulting in a denial of service.
QEMU, Fedora, Redhat Openstack Platform, Redhat Enterprise Linux, Redhat Codeready Linux Builder, and Debian Linux are affected by CVE-2021-20257.
CVE-2021-20257 has a severity rating of medium (6.5).
To fix CVE-2021-20257 in Ubuntu, update the 'qemu' package to version 2.11+dfsg-1ubuntu7.37 (for Bionic), 4.2-3ubuntu6.17 (for Focal), or 5.0-5ubuntu9.9 (for Groovy).
To fix CVE-2021-20257 in Debian, update the 'qemu' package to version 3.1+dfsg-8+deb10u11, 5.2+dfsg-11+deb11u3, 5.2+dfsg-11+deb11u2, 7.2+dfsg-7+deb12u2, or 8.1.2+ds-1.