CVE-2023-3301

Advisory lineage Upstream: 0 Downstream: 9

Downstream

DEBIAN-CVE-2023-3301 OPENSUSE-SU-2024:13058-1 RHSA-2023:6980 SUSE-SU-2023:3082-1 SUSE-SU-2023:3082-2 SUSE-SU-2023:3234-1

Modified

Published: 13 Sept 2023, 16:09

Last modified:13 Feb 2025, 16:55

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.6 MEDIUM

v3.1 (cve.org)

EPSS Score

<0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Sept 2023, 16:09

Published

Vulnerability first disclosed

13 Feb 2025, 16:55

Last Modified

Vulnerability information updated

Description

A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.

CVSS Metrics

v3.1•MEDIUM•Score: 5.6CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 1%

Techniques & Countermeasures

CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-617•Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Affected Systems

qemu•qemu
≤ 8.0.3
redhat•enterprise_linux
8.0 | 9.0