| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Arbitrary code execution |
|
| Description |
| + |
A security issue was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. |
|
| References |
| + |
https://bugzilla.redhat.com/show_bug.cgi?id=1989651 |
| + |
https://gitlab.com/qemu-project/qemu/-/issues/491 |
| + |
https://gitlab.com/qemu-project/qemu/-/commit/5e796671e6b8d5de4b0b423dce1b3eba144a92c9 |
|