CVE-2021-4207 : A flaw was found in the QXL display device emulation in QEMU. A double fetch of

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

Published 2022-04-29 17:15:20

Updated 2022-11-29 16:21:33

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2021-4207

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0 Advanced Virtualization Edition
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
Matching versions
Qemu » Qemu
Versions before (<) 7.0.0
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-4207

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-4207

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.2	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	1.5	6.0	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-4207

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2021-4207

https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html

[SECURITY] [DLA 3099-1] qemu security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2022/dsa-5133

Debian -- Security Information -- DSA-5133-1 qemu
Third Party Advisory

CVEs referencing this url
https://starlabs.sg/advisories/21-4207/

STAR Labs | Advisories | QEMU QXL Integer overflow leads to Heap Overflow
Exploit;Third Party Advisory
https://security.gentoo.org/glsa/202208-27

QEMU: Multiple Vulnerabilities (GLSA 202208-27) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=2036966

2036966 – (CVE-2021-4207) CVE-2021-4207 QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow
Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-4207

Products affected by CVE-2021-4207

Exploit prediction scoring system (EPSS) score for CVE-2021-4207

CVSS scores for CVE-2021-4207

CWE ids for CVE-2021-4207

References for CVE-2021-4207