Lucene search

[email protected]CVE-2022-36648

HistoryAug 22, 2023 - 7:16 p.m.

CVE-2022-36648

2023-08-2219:16:23

CWE-476

[email protected]

web.nvd.nist.gov

cve-2022-36648

hardware emulation

qemu

rocker device

remote code execution

nvd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.9%

JSON

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.

Affected configurations

NVD

Node

qemuqemuRange≤7.0.0

CPENameOperatorVersion
qemu:qemuqemule7.0.0

CPE	Name	Operator	Version
qemu:qemu	qemu	le	7.0.0

References

lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html

security.netapp.com/advisory/ntap-20231006-0004/

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.9%

JSON

Related for CVE-2022-36648

osv1 cbl_mariner2 debiancve1 cvelist1 redhatcve1 prion1 nvd1 ubuntucve1 redos1