CVE-2022-26354 : A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

Published 2022-03-16 15:15:17

Updated 2023-02-12 22:15:26

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-26354

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu
Versions up to, including, (<=) 6.2.0
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-26354

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-26354

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:N/I:N/A:P	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
3.2	LOW	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L	1.5	1.4	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2022-26354

CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2022-26354

https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html

[SECURITY] [DLA 3099-1] qemu security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf

vhost-vsock: detach the virqueue element in case of error (8d1b247f) · Commits · QEMU / QEMU · GitLab
Patch;Third Party Advisory
https://www.debian.org/security/2022/dsa-5133

Debian -- Security Information -- DSA-5133-1 qemu
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html

[SECURITY] [DLA 2970-1] qemu security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20220425-0003/

March 2022 QEMU Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202208-27

QEMU: Multiple Vulnerabilities (GLSA 202208-27) — Gentoo security
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-26354

Products affected by CVE-2022-26354

Exploit prediction scoring system (EPSS) score for CVE-2022-26354

CVSS scores for CVE-2022-26354

CWE ids for CVE-2022-26354

References for CVE-2022-26354