Public on 2023-05-18
Modified on 2023-05-18
This CVE exists because of an incomplete fix for CVE-2021-4206. The cursor_alloc() function still accepts a signed integer for both the cursor width and height. A specially crafted negative value could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Important severity
CVSS v3 Base Score
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 qemu-kvm Not Affected
Amazon Linux 2 - Core qemu-kvm Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H