VDB
CVE-2021-20221
CVE-2021-20221
PUBLISHED
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
EPSS 0.03% · 7.9th percentile
Risk Scores
EPSS Score
0.03%
7.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | qemu | *, 1:2.11+dfsg-1ubuntu7.17, * |
| Ubuntu:20.04:LTS | qemu | 1:4.2-1ubuntu1, *, * |
| Ubuntu:Pro:14.04:LTS | qemu | *, *, * |
| Ubuntu:Pro:16.04:LTS | qemu | 1:2.3+dfsg-5ubuntu9, *, * |
Timeline
- Feb 2, 2021 CVE Published
- May 14, 2021 EPSS Score
- Jul 17, 2021 EPSS Score
- Sep 16, 2021 EPSS Score
- Nov 17, 2021 EPSS Score
- Jan 17, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 20, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 21, 2022 EPSS Score
- Jul 22, 2022 EPSS Score
- Sep 22, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-20221 third-party-advisory
- https://www.openwall.com/lists/oss-security/2021/02/05/1 third-party-advisory
- https://ubuntu.com/security/notices/USN-5010-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-20221 third-party-advisory