Vulnerabilities > CVE-2023-40360 - NULL Pointer Dereference vulnerability in Qemu

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

qemu

CWE-476

NVD

Published: 2023-08-14

Updated: 2023-12-11

Summary

QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.

Vulnerable Configurations

Part	Description	Count
Application	Qemu Qemu Qemu 8.0.0 Qemu Qemu 8.0.1 Qemu Qemu 8.0.2 Qemu Qemu 8.0.3 Qemu Qemu 8.0.4	10

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98
https://gitlab.com/qemu-project/qemu/-/issues/1815
https://www.qemu.org/docs/master/system/security.html
https://security.netapp.com/advisory/ntap-20230915-0004/