CVE-2022-4172

Exploit

EPSS 0.03%
Veröffentlicht 29.11.2022 18:15:10
Zuletzt bearbeitet 14.04.2025 18:15:25
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qemu ≫ Qemu Version7.0.0 Update-

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.057

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2	4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2	4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7J5IRXJYLELW7D43A75LOWRUE5EU54O/

https://gitlab.com/qemu-project/qemu/-/commit/defb7098

Patch

Third Party Advisory

https://gitlab.com/qemu-project/qemu/-/issues/1268

Third Party Advisory

Exploit

Issue Tracking

https://lore.kernel.org/qemu-devel/20221024154233.1043347-1-lk%40c--e.de/

https://security.netapp.com/advisory/ntap-20230127-0013/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-4172

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-4172

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-4172

EUVD