CVE-2021-20257 Information

Description

An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Reference

https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html https://github.com/qemu/qemu/commit/3de46e6fc489c52c9431a8a832ad8170a7569bd8 https://bugzilla.redhat.com/show_bug.cgi?id=1930087 https://www.openwall.com/lists/oss-security/2021/02/25/2 https://security.netapp.com/advisory/ntap-20220425-0003/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

6.5