A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VMs boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Qemu | Qemu | * | 8.2.0 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | virt-devel:rhel-8100020240314161907.e155f54d | * |
| Red Hat Enterprise Linux 8 | RedHat | virt:rhel-8100020240314161907.e155f54d | * |
| Red Hat Enterprise Linux 9 | RedHat | qemu-kvm-17:8.2.0-11.el9_4 | * |
| Qemu | Ubuntu | bionic | * |
| Qemu | Ubuntu | devel | * |
| Qemu | Ubuntu | focal | * |
| Qemu | Ubuntu | jammy | * |
| Qemu | Ubuntu | lunar | * |
| Qemu | Ubuntu | mantic | * |
| Qemu | Ubuntu | noble | * |
| Qemu | Ubuntu | oracular | * |
| Qemu | Ubuntu | trusty | * |
| Qemu | Ubuntu | trusty/esm | * |
| Qemu | Ubuntu | xenial | * |