Vulnerability Details : CVE-2020-27617
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
Products affected by CVE-2020-27617
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:4.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-27617
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-27617
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2020-27617
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-27617
-
http://www.openwall.com/lists/oss-security/2020/11/02/1
oss-security - CVE-2020-27617 QEMU: net: an assert failure via eth_get_gso_typeMailing List;Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html
[SECURITY] [DLA 3099-1] qemu security updateMailing List;Third Party Advisory
-
https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg05731.html
[PATCH v2] net: remove an assert call in eth_get_gso_typeMailing List;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20201202-0002/
November 2020 QEMU Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/11/msg00047.html
[SECURITY] [DLA 2469-1] qemu security updateMailing List;Third Party Advisory
Jump to