CVE-2021-3527

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3527
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3527.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-3527
Downstream
Related
Published
2021-05-26T22:15:08Z
Modified
2025-09-19T13:04:56.148955Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.

References

Affected packages

Git / github.com/qemu/qemu

Affected ranges

Type
GIT
Repo
https://github.com/qemu/qemu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
609d7596524ab204ccd71ef42c9eee4c7c338ea4
Type
GIT
Repo
https://gitlab.com/qemu-project/qemu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
05a40b172e4d691371534828078be47e7fff524c
Fixed
7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.11.0-rc0
v0.12.0-rc0
v0.13.0-rc0
v0.14.0-rc0
v0.15.0-rc0
v0.2.0
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0

v1.*

v1.0
v1.0-rc0
v1.0-rc1
v1.0-rc2
v1.0-rc3
v1.0-rc4
v1.1-rc0
v1.1-rc1
v1.1-rc2
v1.1.0
v1.1.0-rc2
v1.1.0-rc3
v1.1.0-rc4
v1.2.0
v1.2.0-rc0
v1.2.0-rc1
v1.2.0-rc2
v1.2.0-rc3
v1.3.0
v1.3.0-rc0
v1.3.0-rc1
v1.3.0-rc2
v1.4.0
v1.4.0-rc0
v1.4.0-rc1
v1.4.0-rc2
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2

v2.*

v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.1.0
v2.1.0-rc0
v2.1.0-rc1
v2.1.0-rc2
v2.1.0-rc3
v2.1.0-rc4
v2.1.0-rc5
v2.10.0
v2.10.0-rc0
v2.10.0-rc1
v2.10.0-rc2
v2.10.0-rc3
v2.10.0-rc4
v2.11.0
v2.11.0-rc0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.11.0-rc4
v2.11.0-rc5
v2.12.0
v2.12.0-rc0
v2.12.0-rc1
v2.12.0-rc2
v2.12.0-rc3
v2.12.0-rc4
v2.2.0
v2.2.0-rc0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.2.0-rc4
v2.2.0-rc5
v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2
v2.3.0-rc3
v2.3.0-rc4
v2.4.0
v2.4.0-rc0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.4.0-rc4
v2.5.0
v2.5.0-rc0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-rc0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.6.0-rc4
v2.6.0-rc5
v2.7.0
v2.7.0-rc0
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.7.0-rc4
v2.7.0-rc5
v2.8.0
v2.8.0-rc0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.9.0
v2.9.0-rc0
v2.9.0-rc1
v2.9.0-rc2
v2.9.0-rc3
v2.9.0-rc4
v2.9.0-rc5

v3.*

v3.0.0
v3.0.0-rc0
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.1.0
v3.1.0-rc0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.1.0-rc4
v3.1.0-rc5

v4.*

v4.0.0
v4.0.0-rc0
v4.0.0-rc1
v4.0.0-rc2
v4.0.0-rc3
v4.0.0-rc4
v4.1.0
v4.1.0-rc0
v4.1.0-rc1
v4.1.0-rc2
v4.1.0-rc3
v4.1.0-rc4
v4.1.0-rc5
v4.2.0
v4.2.0-rc0
v4.2.0-rc1
v4.2.0-rc2
v4.2.0-rc3
v4.2.0-rc4
v4.2.0-rc5

v5.*

v5.0.0
v5.0.0-rc0
v5.0.0-rc1
v5.0.0-rc2
v5.0.0-rc3
v5.0.0-rc4
v5.1.0
v5.1.0-rc0
v5.1.0-rc1
v5.1.0-rc2
v5.1.0-rc3
v5.2.0
v5.2.0-rc0
v5.2.0-rc1
v5.2.0-rc2
v5.2.0-rc3
v5.2.0-rc4

v6.*

v6.0.0
v6.0.0-rc0
v6.0.0-rc1
v6.0.0-rc2
v6.0.0-rc3
v6.0.0-rc4
v6.0.0-rc5

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "269400761726207554090353202840902315257",
                    "119307344340641259751801519692907203016",
                    "326548559512027486046572904986022376072",
                    "73041713572673512055747119237799287705"
                ]
            },
            "target": {
                "file": "hw/usb/combined-packet.c"
            },
            "source": "https://gitlab.com/qemu-project/qemu@05a40b172e4d691371534828078be47e7fff524c",
            "id": "CVE-2021-3527-4cab5e44",
            "deprecated": false,
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "167443947742219700222957101252243774600",
                    "61911157104635718831387678215906986250",
                    "29568767801218084532825511420516210099",
                    "88460353428432787954060144963198367115",
                    "293827903315787450183182877461871256600",
                    "90873833699346552304369370712175299809",
                    "37900396691202462739205124391483260441",
                    "242002003889685031535552614557524308098",
                    "51051223527711322627583931772797510787",
                    "210975785683925942205039452318950435298",
                    "108317851574551643512430908095355764785",
                    "83811626812010732757727657331821254659"
                ]
            },
            "target": {
                "file": "hw/usb/redirect.c"
            },
            "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
            "id": "CVE-2021-3527-503e3bf1",
            "deprecated": false,
            "signature_type": "Line",
            "signature_version": "v1"
        },
        {
            "digest": {
                "function_hash": "193074547064934338397412369714946632047",
                "length": 3283.0
            },
            "target": {
                "file": "hw/usb/redirect.c",
                "function": "usbredir_handle_iso_data"
            },
            "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
            "id": "CVE-2021-3527-7596b36c",
            "deprecated": false,
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "digest": {
                "function_hash": "166676994960784205671750699193853905376",
                "length": 523.0
            },
            "target": {
                "file": "hw/usb/redirect.c",
                "function": "usbredir_handle_interrupt_out_data"
            },
            "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
            "id": "CVE-2021-3527-adb2a197",
            "deprecated": false,
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "digest": {
                "function_hash": "249538098380142255455224067407001734942",
                "length": 1311.0
            },
            "target": {
                "file": "hw/usb/combined-packet.c",
                "function": "usb_ep_combine_input_packets"
            },
            "source": "https://gitlab.com/qemu-project/qemu@05a40b172e4d691371534828078be47e7fff524c",
            "id": "CVE-2021-3527-b2c39117",
            "deprecated": false,
            "signature_type": "Function",
            "signature_version": "v1"
        },
        {
            "digest": {
                "function_hash": "198368438371595159633120831886524687622",
                "length": 1398.0
            },
            "target": {
                "file": "hw/usb/redirect.c",
                "function": "usbredir_handle_bulk_data"
            },
            "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
            "id": "CVE-2021-3527-d8d1898b",
            "deprecated": false,
            "signature_type": "Function",
            "signature_version": "v1"
        }
    ]
}