CVE-2022-26354

LOW

QEMU <= 6.2.0 - Memory Corruption

Title source: llm

Description

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

References (6)

[Patch, Third Party Advisory] https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html

[Third Party Advisory] https://security.gentoo.org/glsa/202208-27

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220425-0003/

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5133

Scores

CVSS v3 3.2

EPSS 0.0002

EPSS Percentile 4.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

Classification

CWE

CWE-772

Status published

Affected Products (3)

qemu/qemu < 6.2.0

debian/debian_linux

Timeline

Published Mar 16, 2022

Tracked Since Feb 18, 2026