CVE-2022-26353

Advisory lineage Upstream: 0 Downstream: 9

Downstream

DEBIAN-CVE-2022-26353 DSA-5133-1 OPENSUSE-SU-2024:12209-1 RHSA-2022:5002 RHSA-2022:5263 RHSA-2022:5821

Modified

Published: 16 Mar 2022, 14:02

Last modified:03 Aug 2024, 05:03

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.24% LOW

0% probability -0.09%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Mar 2022, 14:02

Published

Vulnerability first disclosed

03 Aug 2024, 05:03

Last Modified

Vulnerability information updated

Description

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.24%• Percentile: 47%

Techniques & Countermeasures

CWE-772•Missing Release of Resource after Effective Lifetime
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Affected Systems

debian•debian_linux
11.0
qemu•qemu
6.2.0