The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This flaw affects libslirp versions prior to 4.6.0.Īn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The highest threat from this vulnerability is to data confidentiality. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure.
#Usb redirector 6.4 serial code
A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.Īn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.Ī flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0.