QEMU Tulip DMA Reentrancy Enables Multiple MMIO, Crash Risk
CVE-2022-2962 Published on September 13, 2022
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Vulnerability Analysis
CVE-2022-2962 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-2962. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2022-2962 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2022-2962
stack.watch emails you whenever new vulnerabilities are published in QEMU or Canonical Ubuntu Linux. Just hit a watch button to start following.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.