CVE Vulnerabilities


Use After Free

Published: Sep 06, 2019 | Modified: Sep 20, 2019
CVSS 3.x
CVSS 2.x

libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.


Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Affected Software

Name Vendor Start Version End Version
Libslirp Libslirp_project 4.0.0 (including) 4.0.0 (including)
Android Ubuntu trusty *
Android Ubuntu xenial *
Basilisk2 Ubuntu bionic *
Basilisk2 Ubuntu disco *
Basilisk2 Ubuntu eoan *
Basilisk2 Ubuntu groovy *
Basilisk2 Ubuntu hirsute *
Basilisk2 Ubuntu impish *
Basilisk2 Ubuntu kinetic *
Basilisk2 Ubuntu lunar *
Basilisk2 Ubuntu trusty *
Basilisk2 Ubuntu xenial *
Bochs Ubuntu bionic *
Bochs Ubuntu disco *
Bochs Ubuntu eoan *
Bochs Ubuntu groovy *
Bochs Ubuntu hirsute *
Bochs Ubuntu impish *
Bochs Ubuntu kinetic *
Bochs Ubuntu lunar *
Bochs Ubuntu trusty *
Bochs Ubuntu xenial *
Fs-uae Ubuntu bionic *
Fs-uae Ubuntu disco *
Fs-uae Ubuntu eoan *
Fs-uae Ubuntu groovy *
Fs-uae Ubuntu hirsute *
Fs-uae Ubuntu impish *
Fs-uae Ubuntu kinetic *
Fs-uae Ubuntu lunar *
Fs-uae Ubuntu trusty *
Fs-uae Ubuntu xenial *
Libslirp Ubuntu trusty *
Ns3 Ubuntu bionic *
Ns3 Ubuntu disco *
Ns3 Ubuntu eoan *
Ns3 Ubuntu groovy *
Ns3 Ubuntu hirsute *
Ns3 Ubuntu impish *
Ns3 Ubuntu kinetic *
Ns3 Ubuntu lunar *
Ns3 Ubuntu trusty *
Ns3 Ubuntu xenial *
Qemu Ubuntu bionic *
Qemu Ubuntu devel *
Qemu Ubuntu disco *
Qemu Ubuntu eoan *
Qemu Ubuntu esm-infra/bionic *
Qemu Ubuntu esm-infra/xenial *
Qemu Ubuntu focal *
Qemu Ubuntu groovy *
Qemu Ubuntu hirsute *
Qemu Ubuntu impish *
Qemu Ubuntu jammy *
Qemu Ubuntu kinetic *
Qemu Ubuntu lunar *
Qemu Ubuntu mantic *
Qemu Ubuntu noble *
Qemu Ubuntu trusty *
Qemu Ubuntu trusty/esm *
Qemu Ubuntu upstream *
Qemu Ubuntu xenial *
Qemu-kvm Ubuntu precise/esm *
Qemu-kvm-spice Ubuntu trusty *
Qemu-linaro Ubuntu trusty *
Redboot-imx Ubuntu bionic *
Redboot-imx Ubuntu disco *
Redboot-imx Ubuntu eoan *
Redboot-imx Ubuntu trusty *
Redboot-imx Ubuntu xenial *
Slirp Ubuntu bionic *
Slirp Ubuntu disco *
Slirp Ubuntu eoan *
Slirp Ubuntu groovy *
Slirp Ubuntu hirsute *
Slirp Ubuntu impish *
Slirp Ubuntu kinetic *
Slirp Ubuntu lunar *
Slirp Ubuntu trusty *
Slirp Ubuntu xenial *
Slirp4netns Ubuntu disco *
Slirp4netns Ubuntu trusty *
Vde2 Ubuntu bionic *
Vde2 Ubuntu disco *
Vde2 Ubuntu eoan *
Vde2 Ubuntu groovy *
Vde2 Ubuntu hirsute *
Vde2 Ubuntu impish *
Vde2 Ubuntu kinetic *
Vde2 Ubuntu lunar *
Vde2 Ubuntu trusty *
Vde2 Ubuntu xenial *
Virtualbox Ubuntu bionic *
Virtualbox Ubuntu disco *
Virtualbox Ubuntu eoan *
Virtualbox Ubuntu groovy *
Virtualbox Ubuntu hirsute *
Virtualbox Ubuntu impish *
Virtualbox Ubuntu kinetic *
Virtualbox Ubuntu lunar *
Virtualbox Ubuntu trusty *
Virtualbox Ubuntu xenial *
Virtualbox-hwe Ubuntu bionic *
Virtualbox-hwe Ubuntu disco *
Virtualbox-hwe Ubuntu eoan *
Virtualbox-hwe Ubuntu groovy *
Virtualbox-hwe Ubuntu hirsute *
Virtualbox-hwe Ubuntu impish *
Virtualbox-hwe Ubuntu kinetic *
Virtualbox-hwe Ubuntu lunar *
Virtualbox-hwe Ubuntu trusty *
Virtualbox-hwe Ubuntu xenial *
Virtualbox-lts-vivid Ubuntu trusty *
Virtualbox-lts-wily Ubuntu trusty *
Virtualbox-lts-xenial Ubuntu trusty *
Xen Ubuntu disco *
Xen Ubuntu eoan *
Xen Ubuntu groovy *
Xen Ubuntu hirsute *
Xen Ubuntu impish *
Xen Ubuntu trusty *
Xen Ubuntu xenial *
Advanced Virtualization for RHEL 8.2.1 RedHat virt:8.2-8020120200707202843.11e3e113 *
Advanced Virtualization for RHEL 8.2.1 RedHat virt-devel:8.2-8020120200707202843.11e3e113 *
Red Hat Enterprise Linux 6 RedHat qemu-kvm-2: *
Red Hat Enterprise Linux 7 Extras RedHat slirp4netns-0:0.3.0-8.el7_7 *
Red Hat Enterprise Linux 8 RedHat container-tools:rhel8-8010120200116121758.53d07e52 *
Red Hat Enterprise Linux 8 RedHat virt-devel:rhel-8030020200909014558.30b713e6 *
Red Hat Enterprise Linux 8 RedHat virt:rhel-8030020200909014558.30b713e6 *

Extended Description

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Potential Mitigations