CVE-2022-2962 : A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tul

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Published 2022-09-13 20:15:10

Updated 2025-04-23 18:15:49

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-2962

Qemu » Qemu
Versions from including (>=) 4.2.0 and up to, including, (<=) 7.1.0
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-2962

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 3 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-2962

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-23
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-2962

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: secalert@redhat.com (Secondary)
CWE-662 Improper Synchronization

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

Assigned by: nvd@nist.gov (Primary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-2962

https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182

net: tulip: Restrict DMA engine to memories (36a894ae) · Commits · QEMU / QEMU · GitLab
Patch;Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/1171

tulip: DMA reentrancy issue leads to stack overflow (CVE-2022-2962) (#1171) · Issues · QEMU / QEMU · GitLab
Exploit;Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-2962

Products affected by CVE-2022-2962

Exploit prediction scoring system (EPSS) score for CVE-2022-2962

CVSS scores for CVE-2022-2962

CWE ids for CVE-2022-2962

References for CVE-2022-2962