Описание
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 9.0.2+ds-4ubuntu8 |
| esm-infra-legacy/trusty | released | 2.0.0+dfsg-2ubuntu1.47+esm4 |
| esm-infra/bionic | released | 1:2.11+dfsg-1ubuntu7.42+esm2 |
| esm-infra/focal | released | 1:4.2-3ubuntu6.30 |
| esm-infra/xenial | released | 1:2.5+dfsg-5ubuntu10.51+esm3 |
| focal | released | 1:4.2-3ubuntu6.30 |
| jammy | released | 1:6.2+dfsg-2ubuntu6.24 |
| noble | released | 1:8.2.2+ds-0ubuntu1.4 |
| oracular | released | 1:9.0.2+ds-4ubuntu5.1 |
| plucky | released | 9.0.2+ds-4ubuntu8 |
Показывать по
EPSS
7.4 High
CVSS3
Связанные уязвимости
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
A heap buffer overflow was found in the virtio-snd device in QEMU. Whe ...
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
EPSS
7.4 High
CVSS3