JFrog Security Research
< Back

XRAY-520621 - QEMU Heap overflow VM escape

CVE-2023-1601 | CVSS 7.5

JFrog Severity:medium

Discovered ByYair Mizrahiof the JFrog Security Research Team

Published 23 May, 2023 | Last updated 23 May, 2023

A heap overflow in QEMU can allow an authenticated network attacker to perform a VM escape


QEMU (,8.0.0], no fixed release

The fix for CVE-2021-4206 integer overflow was incomplete. The ui/cursor.c function cursor_alloc() has a buffer size calculation before allocation:

size_t datasize = width * height * sizeof(uint32_t);

width and height are signed integers, but their product is cast to a size_t (unsigned integer) type. datasize could then become 0 or a very small number by using very big negative numbers, which would also bypass the sanity check: if (width > 512 || height > 512).

This could potentially lead to heap buffer overflow. A malicious privileged guest user could exploit this flaw to crash the QEMU process or execute arbitrary code on the host in the context of the QEMU process.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue


< Back