CVE-2021-3735

2022-08-2616:15:09

CWE-667

CWE-400

[email protected]

web.nvd.nist.gov

ahci controller

qemu

deadlock

denial of service

vulnerability

system availability

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

12.6%

JSON

A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.

Affected configurations

Nvd

Node

qemuqemuMatch6.1.0rc4

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

VendorProductVersionCPE
qemuqemu6.1.0cpe:2.3:a:qemu:qemu:6.1.0:rc4:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
qemu	qemu	6.1.0	cpe:2.3:a:qemu:qemu:6.1.0:rc4::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*