CVE-2021-3750
HIGHQEMU < 7.0.0 - Use-After-Free via USB EHCI Controller DMA Reentrancy
Title source: llmDescription
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
References (5)
Core 5
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1999073
Exploit, Third Party Advisory x_refsource_misc
https://gitlab.com/qemu-project/qemu/-/issues/541
Third Party Advisory x_refsource_misc
https://gitlab.com/qemu-project/qemu/-/issues/556
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220624-0003/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-27
Scores
CVSS v3
8.2
EPSS
0.0003
EPSS Percentile
8.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (2)
qemu/qemu
< 7.0.0
redhat/enterprise_linux
8.0 (2 CPE variants)
Published
May 02, 2022
Tracked Since
Feb 18, 2026