CVE-2023-1544

EPSS 0.05%
Published 23.03.2023 20:15:14
Last modified 21.11.2024 07:39:24
Source patrick@puiterwijk.org
Teams watchlist Login
Open Login

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.

Affected products Warnungen 0 Metrics 3 CWE 2 References 7

Data is provided by the National Vulnerability Database (NVD)

Qemu ≫ Qemu Version <= 7.2.0

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.139

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.3	1.8	4	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
patrick@puiterwijk.org	6	1.5	4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://access.redhat.com/security/cve/CVE-2023-1544

https://bugzilla.redhat.com/show_bug.cgi?id=2180364

Patch

Vendor Advisory

Mailing List

Issue Tracking

https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html

Patch

Third Party Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20230511-0005/

https://nvd.nist.gov/vuln/detail/CVE-2023-1544

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-1544

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-1544

EUVD