First published: Sun Jun 18 2023(Updated: )
A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
QEMU qemu | <=8.0.3 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
redhat/qemu | <8.1.0 | 8.1.0 |
ubuntu/qemu | <1:8.0.3+dfsg-1 | 1:8.0.3+dfsg-1 |
ubuntu/qemu | <1:6.2+dfsg-2ubuntu6.16 | 1:6.2+dfsg-2ubuntu6.16 |
ubuntu/qemu | <1:7.2+dfsg-5ubuntu2.4 | 1:7.2+dfsg-5ubuntu2.4 |
debian/qemu | 1:3.1+dfsg-8+deb10u8 1:3.1+dfsg-8+deb10u12 1:5.2+dfsg-11+deb11u3 1:8.2.1+ds-2 1:8.2.2+ds-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw is CVE-2023-3301.
The severity of CVE-2023-3301 is medium with a CVSS score of 5.6.
This flaw in QEMU can be exploited by a malicious guest to cause a denial of service.
QEMU versions 8.0.3 up to, but excluding, 8.1.0 are affected. Redhat Enterprise Linux 8.0 and 9.0 are also affected.
Yes, a fix is available for CVE-2023-3301. It is recommended to update to version 8.1.0 of QEMU to mitigate the vulnerability.