CVE-2021-3735

2022-08-2616:15:09

CWE-400

CWE-667

redhat

web.nvd.nist.gov

cve-2021-3735

ahci controller

qemu

deadlock issue

denial of service

nvd

vulnerability

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

AI Score

4.2

Confidence

High

EPSS

Percentile

12.6%

JSON

A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.

Affected configurations

Nvd

Node

qemuqemuMatch6.1.0rc4

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

VendorProductVersionCPE
qemuqemu6.1.0cpe:2.3:a:qemu:qemu:6.1.0:rc4:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
qemu	qemu	6.1.0	cpe:2.3:a:qemu:qemu:6.1.0:rc4::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

CNA Affected

[
  {
    "product": "QEMU",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Not Known"
      }
    ]
  }
]