Vulnerabilities > CVE-2021-4145 - NULL Pointer Dereference vulnerability in multiple products

CVSS 6.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

qemu

redhat

CWE-476

NVD

Published: 2022-01-25

Updated: 2024-11-21

Summary

A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.

Vulnerable Configurations

Part	Description	Count
Application	Qemu Qemu Qemu 6.1.0	6
OS	Redhat Redhat Enterprise Linux 8.0	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://bugzilla.redhat.com/show_bug.cgi?id=2034602
https://bugzilla.redhat.com/show_bug.cgi?id=2034602
https://gitlab.com/qemu-project/qemu/-/commit/66fed30c9cd11854fc878a4eceb507e915d7c9cd
https://gitlab.com/qemu-project/qemu/-/commit/66fed30c9cd11854fc878a4eceb507e915d7c9cd
https://security.gentoo.org/glsa/202208-27
https://security.gentoo.org/glsa/202208-27
https://security.netapp.com/advisory/ntap-20220311-0004/
https://security.netapp.com/advisory/ntap-20220311-0004/