CVE-2022-2962
- Source
- https://cve.org/CVERecord?id=CVE-2022-2962
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2962.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-2962
- Downstream
- Related
- Published
- 2022-09-13T19:18:14Z
- Modified
- 2026-06-15T21:16:37.123163Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2962.json", "cna_assigner": "redhat", "cwe_ids": [ "CWE-400" ] }- References
Affected packages
Git / github.com/qemu/qemu
Affected ranges
Affected versions
v4.*
v4.2.0
v5.*
v5.0.0
v5.0.0-rc0
v5.0.0-rc1
v5.0.0-rc2
v5.0.0-rc3
v5.0.0-rc4
v5.1.0
v5.1.0-rc0
v5.1.0-rc1
v5.1.0-rc2
v5.1.0-rc3
v5.2.0
v5.2.0-rc0
v5.2.0-rc1
v5.2.0-rc2
v5.2.0-rc3
v5.2.0-rc4
v6.*
v6.0.0
v6.0.0-rc0
v6.0.0-rc1
v6.0.0-rc2
v6.0.0-rc3
v6.0.0-rc4
v6.0.0-rc5
v6.1.0
v6.1.0-rc0
v6.1.0-rc1
v6.1.0-rc2
v6.1.0-rc3
v6.1.0-rc4
v6.2.0
v6.2.0-rc0
v6.2.0-rc1
v6.2.0-rc3
v6.2.0-rc4
v7.*
v7.0.0
v7.0.0-rc0
v7.0.0-rc1
v7.0.0-rc2
v7.0.0-rc3
v7.0.0-rc4
v7.1.0
v7.1.0-rc0
v7.1.0-rc1
v7.1.0-rc2
v7.1.0-rc3
v7.1.0-rc4
Database specific
vanir_signatures_modified
"2026-06-15T21:16:37Z"
vanir_signatures
[
{
"digest": {
"line_hashes": [
"33159858745377908645997765771213700539",
"87404591472821702745539163954061690588",
"19419043666085762877338208946949306429",
"118525739223405489846661017724525931171",
"94652972890096512091001834816232665381",
"87404591472821702745539163954061690588",
"322822004330675076548298562185758055897",
"204039834203728791100931558873361667713"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2022-2962-886a0380",
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "hw/net/tulip.c"
},
"source": "https://gitlab.com/qemu-project/qemu@36a894aeb64a2e02871016da1c37d4a4ca109182"
},
{
"digest": {
"function_hash": "96687268046739572125620693955961275251",
"length": 718.0
},
"signature_version": "v1",
"id": "CVE-2022-2962-d9cbf375",
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "hw/net/tulip.c",
"function": "tulip_desc_read"
},
"source": "https://gitlab.com/qemu-project/qemu@36a894aeb64a2e02871016da1c37d4a4ca109182"
},
{
"digest": {
"function_hash": "177297676384258436152410763558256028350",
"length": 702.0
},
"signature_version": "v1",
"id": "CVE-2022-2962-fff12b1c",
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "hw/net/tulip.c",
"function": "tulip_desc_write"
},
"source": "https://gitlab.com/qemu-project/qemu@36a894aeb64a2e02871016da1c37d4a4ca109182"
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2962.json"