VDB

DEBIAN-CVE-2022-36648

DEBIAN-CVE-2022-36648 PUBLISHED CVSS 10 CRITICAL

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.

Risk Scores

CVSS 3.1
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersions
Debian:13qemu*, *, 10.0.2+ds
Debian:14qemu11.0.0, 11.0.0, 11.0.0
Debian:12qemu1:8.0~rc4+dfsg-1, 1:8.0~rc4+dfsg-2, 1:8.1.0+ds-1
Debian:11qemu*, 0, 10.0.0+ds

Timeline

  • Aug 22, 2023 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›