CVE-2021-3748 log

Severity Medium
Remote No
Type Arbitrary code execution
OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the iov_from_buf_full function under these conditions:

1) the (malicious) driver tries to add a non direct memory region as the buffer address
2) then memory core needs to use the bounce buffer
3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed)

A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
Group Package Affected Fixed Severity Status Ticket
AVG-1898 qemu 6.1.0-5 Medium Unknown