Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-3354

NULL Pointer Dereference

Published: Jul 11, 2023 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-3354
CWEhttps://cwe.mitre.org/data/definitions/476.html

A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.

Weakness

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Affected Software

Name Vendor Start Version End Version
Qemu Qemu * 8.1.0 (excluding)
Qemu Qemu 8.1.0-rc0 (including) 8.1.0-rc0 (including)
Qemu Qemu 8.1.0-rc1 (including) 8.1.0-rc1 (including)
Red Hat Enterprise Linux 8 RedHat virt-devel:rhel-8080020230901075317.63b34585 *
Red Hat Enterprise Linux 8 RedHat virt:rhel-8080020230901075317.63b34585 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat virt:rhel-8010020230902123217.c27ad7f8 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat virt:rhel-8020020230902114249.4cda2c84 *
Red Hat Enterprise Linux 8.2 Telecommunications Update Service RedHat virt:rhel-8020020230902114249.4cda2c84 *
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions RedHat virt:rhel-8020020230902114249.4cda2c84 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat virt:rhel-8040020230902084954.522a0ee4 *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat virt:rhel-8040020230902084954.522a0ee4 *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat virt:rhel-8040020230902084954.522a0ee4 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat virt-devel:rhel-8060020231128234847.ad008a3a *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat virt:rhel-8060020231128234847.ad008a3a *
Red Hat Enterprise Linux 9 RedHat qemu-kvm-17:7.2.0-14.el9_2.5 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat qemu-kvm-17:6.2.0-11.el9_0.8 *
Qemu Ubuntu bionic *
Qemu Ubuntu esm-infra-legacy/trusty *
Qemu Ubuntu esm-infra/bionic *
Qemu Ubuntu esm-infra/xenial *
Qemu Ubuntu focal *
Qemu Ubuntu jammy *
Qemu Ubuntu kinetic *
Qemu Ubuntu lunar *
Qemu Ubuntu trusty *
Qemu Ubuntu trusty/esm *
Qemu Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use