CVE-2022-26354

LOW

QEMU <= 6.2.0 - Memory Corruption

Title source: llm

Description

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

References (6)

[Patch, Third Party Advisory] https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220425-0003/

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5133

[Third Party Advisory] https://security.gentoo.org/glsa/202208-27

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html

Scores

CVSS v3 3.2

EPSS 0.0001

EPSS Percentile 1.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Details

CWE

CWE-772

Status published

Products (3)

debian/debian_linux 9.0

debian/debian_linux 10.0

qemu/qemu < 6.2.0

Published Mar 16, 2022

Tracked Since Feb 18, 2026