CVE-2022-26354

Published: Mar 16, 2022Modified: Nov 21, 2024

3.2

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Exploitability: 1.5 / Impact: 1.4

Source: NVD

Description

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

Affected (3)

Products: Qemu: Qemu · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Qemu Qemu	Up to 6.2.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Related CWEs

CWE-772

Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

References (12)

https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf

Source: secalert@redhat.com

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202208-27

Source: secalert@redhat.com

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220425-0003/

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2022/dsa-5133

Source: secalert@redhat.com

Third Party Advisory

https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf