What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2022-3165.

What is the severity of CVE-2022-3165?

The severity of CVE-2022-3165 is medium with a CVSS score of 6.5.

What is the affected software for CVE-2022-3165?

The affected software for CVE-2022-3165 includes QEMU versions up to 7.1.0, Ubuntu QEMU versions 1:6.2+dfsg-2ubuntu6.6 and 1:7.0+dfsg-7ubuntu2.1, Red Hat QEMU version 7.2.0, Fedora versions 36 and 37, and Debian QEMU versions 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u11, 1:5.2+dfsg-11+deb11u3, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u2, and 1:8.1.2+ds-1.

How can a malicious client exploit CVE-2022-3165?

A malicious client can exploit CVE-2022-3165 by sending a specially crafted payload message to the QEMU VNC server while processing ClientCutText messages in the extended format.

What is the remedy for CVE-2022-3165?

The remedy for CVE-2022-3165 is to update QEMU to the recommended versions: Ubuntu QEMU 1:6.2+dfsg-2ubuntu6.6 or 1:7.0+dfsg-7ubuntu2.1, Red Hat QEMU 7.2.0, or Debian QEMU 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u11, 1:5.2+dfsg-11+deb11u3, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u2, or 1:8.1.2+ds-1.

Vulnerability/
CVE-2022-3165

medium

6.5

CWE

191

26/9/2022

17/10/2022

21/11/2024

CVE-2022-3165: Integer Underflow

First published: Mon Sep 26 2022(Updated: )

An integer underflow issue was found in the QEMU VNC server while proc ...

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/qemu	<7.2.0	7.2.0
QEMU	>=6.1.0<=7.1.0
Fedora	=36
Fedora	=37
debian/qemu		1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u12 1:9.2.1+ds-1

Remedy

https://gitlab.com/qemu-project/qemu/-/commit/d307040b18

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-3165.
What is the severity of CVE-2022-3165?
The severity of CVE-2022-3165 is medium with a CVSS score of 6.5.
What is the affected software for CVE-2022-3165?
The affected software for CVE-2022-3165 includes QEMU versions up to 7.1.0, Ubuntu QEMU versions 1:6.2+dfsg-2ubuntu6.6 and 1:7.0+dfsg-7ubuntu2.1, Red Hat QEMU version 7.2.0, Fedora versions 36 and 37, and Debian QEMU versions 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u11, 1:5.2+dfsg-11+deb11u3, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u2, and 1:8.1.2+ds-1.
How can a malicious client exploit CVE-2022-3165?
A malicious client can exploit CVE-2022-3165 by sending a specially crafted payload message to the QEMU VNC server while processing ClientCutText messages in the extended format.
What is the remedy for CVE-2022-3165?
The remedy for CVE-2022-3165 is to update QEMU to the recommended versions: Ubuntu QEMU 1:6.2+dfsg-2ubuntu6.6 or 1:7.0+dfsg-7ubuntu2.1, Red Hat QEMU 7.2.0, or Debian QEMU 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u11, 1:5.2+dfsg-11+deb11u3, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u2, or 1:8.1.2+ds-1.

agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-3165
agent/software-canonical-lookup
agent/weakness
agent/severity
collector/mitre-cve
source/MITRE
collector/usn-cve
source/Ubuntu
agent/remedy
agent/last-modified-date
agent/references
agent/trending
agent/source
agent/author
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
agent/description
agent/softwarecombine
agent/tags
agent/event
collector/security-tracker-debian
source/Debian
package-manager/redhat
vendor/qemu
canonical/qemu
version/qemu/6.1.0
version/qemu/7.1.0
vendor/fedoraproject
canonical/fedora
version/fedora/36
version/fedora/37
package-manager/debian