CVE-2022-4172
Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 29 Nov 2022, 00:00
Last modified:14 Apr 2025, 18:10
Vulnerability Summary
Overall Risk (default)
medium
36/100 CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.03% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
29 Nov 2022, 00:00
Published
Vulnerability first disclosed
14 Apr 2025, 18:10
Last Modified
Vulnerability information updated
Description
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.03%• Percentile: 11%
Techniques & Countermeasures
- CWE-120•Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Affected Systems
- fedoraproject•fedora
37
- qemu•qemu
7.0.0
References (5)
- https://lore.kernel.org/qemu-devel/20221024154233.1043347-1-lk%40c--e.de/
- https://gitlab.com/qemu-project/qemu/-/issues/1268
- https://gitlab.com/qemu-project/qemu/-/commit/defb7098
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7J5IRXJYLELW7D43A75LOWRUE5EU54O/
- https://security.netapp.com/advisory/ntap-20230127-0013/