CVE Vulnerabilities

CVE-2021-20181

Time-of-check Time-of-use (TOCTOU) Race Condition

Published: May 13, 2021 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS 2.x
6.9 MEDIUM
AV:L/AC:M/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM

A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

Affected Software

Name Vendor Start Version End Version
Qemu Qemu * 5.2.0 (including)
Qemu Ubuntu bionic *
Qemu Ubuntu devel *
Qemu Ubuntu esm-infra-legacy/trusty *
Qemu Ubuntu focal *
Qemu Ubuntu groovy *
Qemu Ubuntu hirsute *
Qemu Ubuntu impish *
Qemu Ubuntu jammy *
Qemu Ubuntu kinetic *
Qemu Ubuntu lunar *
Qemu Ubuntu mantic *
Qemu Ubuntu noble *
Qemu Ubuntu oracular *
Qemu Ubuntu trusty *
Qemu Ubuntu trusty/esm *
Qemu Ubuntu xenial *
Qemu-kvm Ubuntu precise/esm *

Potential Mitigations

References