CVE-2021-3929

HIGH

QEMU < 7.0.0 - Use-After-Free in NVME Controller Emulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3929. PoCs published by QiuhaoLi.

AI-analyzed exploit summary This repository contains a functional VM escape PoC for CVE-2021-3929 and CVE-2021-3947, targeting QEMU's NVMe and HDA emulation. The exploit leverages memory corruption to leak host addresses and achieve arbitrary code execution on the host system.

Description

A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.

Exploits (1)

nomisec WORKING POC 171 stars
by QiuhaoLi · poc
https://github.com/QiuhaoLi/CVE-2021-3929-3947

This repository contains a functional VM escape PoC for CVE-2021-3929 and CVE-2021-3947, targeting QEMU's NVMe and HDA emulation. The exploit leverages memory corruption to leak host addresses and achieve arbitrary code execution on the host system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: QEMU 6.1.0
No auth needed
Prerequisites: QEMU 6.1.0 with NVMe and HDA emulation enabled · Ubuntu 21.04 guest OS · Specific hardware configuration (q35 machine type, KVM acceleration)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://gitlab.com/qemu-project/qemu/-/issues/556
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2020298
Third Party Advisory x_refsource_misc
https://access.redhat.com/security/cve/CVE-2021-3929
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://gitlab.com/qemu-project/qemu/-/issues/782

Scores

CVSS v3 8.2
EPSS 0.0064
EPSS Percentile 46.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (3)
fedoraproject/fedora 35
fedoraproject/fedora 36
qemu/qemu < 7.0.0
Published Aug 25, 2022
Tracked Since Feb 18, 2026