CVE-2022-26354

low

Description

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

References

https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf

https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html

https://security.netapp.com/advisory/ntap-20220425-0003/

https://www.debian.org/security/2022/dsa-5133

https://security.gentoo.org/glsa/202208-27

https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html

Details

Source: MITRE

Published: 2022-03-16

Updated: 2023-02-12

Type: CWE-772

Risk Information

CVSS v2

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3

Base Score: 3.2

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Impact Score: 1.4

Exploitability Score: 1.5

Severity: LOW