Alpine: multiple qemu packages: security update to 6.1.0-r0

high Tenable Cloud Security Plugin ID 406792

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs
when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A
malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,
resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the
host. (CVE-2021-3682)

- A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in
versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function
while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the
host, resulting in a denial of service. The highest threat from this vulnerability is to system
availability. (CVE-2020-35503)

- A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could
occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the
floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on
the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

- Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions
up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-
gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)

- An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of
QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-
user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit
this issue to leak memory from the host. (CVE-2021-3545)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-35503

https://security.alpinelinux.org/vuln/CVE-2021-3507

https://security.alpinelinux.org/vuln/CVE-2021-3544

https://security.alpinelinux.org/vuln/CVE-2021-3545

https://security.alpinelinux.org/vuln/CVE-2021-3546

https://security.alpinelinux.org/vuln/CVE-2021-3682

Plugin Details

Severity: High

ID: 406792

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-3682

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/6/2021

Reference Information

CVE: CVE-2020-35503, CVE-2021-3507, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3682