CVE-2021-3527

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3527
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3527.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-3527
Downstream
Related
Published
2021-05-26T22:15:08Z
Modified
2025-10-26T12:02:09.649294Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.

References

Affected packages

Git / github.com/qemu/qemu

Affected ranges

Type
GIT
Repo
https://github.com/qemu/qemu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected

Git / gitlab.com/qemu-project/qemu

Affected ranges

Type
GIT
Repo
https://gitlab.com/qemu-project/qemu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
05a40b172e4d691371534828078be47e7fff524c
Fixed
7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.11.0-rc0
v0.12.0-rc0
v0.13.0-rc0
v0.14.0-rc0
v0.15.0-rc0
v0.2.0
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0

v1.*

v1.0
v1.0-rc0
v1.0-rc1
v1.0-rc2
v1.0-rc3
v1.0-rc4
v1.1-rc0
v1.1-rc1
v1.1-rc2
v1.1.0
v1.1.0-rc2
v1.1.0-rc3
v1.1.0-rc4
v1.2.0
v1.2.0-rc0
v1.2.0-rc1
v1.2.0-rc2
v1.2.0-rc3
v1.3.0
v1.3.0-rc0
v1.3.0-rc1
v1.3.0-rc2
v1.4.0
v1.4.0-rc0
v1.4.0-rc1
v1.4.0-rc2
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2

v2.*

v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.1.0
v2.1.0-rc0
v2.1.0-rc1
v2.1.0-rc2
v2.1.0-rc3
v2.1.0-rc4
v2.1.0-rc5
v2.10.0
v2.10.0-rc0
v2.10.0-rc1
v2.10.0-rc2
v2.10.0-rc3
v2.10.0-rc4
v2.11.0
v2.11.0-rc0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.11.0-rc4
v2.11.0-rc5
v2.12.0
v2.12.0-rc0
v2.12.0-rc1
v2.12.0-rc2
v2.12.0-rc3
v2.12.0-rc4
v2.2.0
v2.2.0-rc0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.2.0-rc4
v2.2.0-rc5
v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2
v2.3.0-rc3
v2.3.0-rc4
v2.4.0
v2.4.0-rc0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.4.0-rc4
v2.5.0
v2.5.0-rc0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-rc0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.6.0-rc4
v2.6.0-rc5
v2.7.0
v2.7.0-rc0
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.7.0-rc4
v2.7.0-rc5
v2.8.0
v2.8.0-rc0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.9.0
v2.9.0-rc0
v2.9.0-rc1
v2.9.0-rc2
v2.9.0-rc3
v2.9.0-rc4
v2.9.0-rc5

v3.*

v3.0.0
v3.0.0-rc0
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.1.0
v3.1.0-rc0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.1.0-rc4
v3.1.0-rc5

v4.*

v4.0.0
v4.0.0-rc0
v4.0.0-rc1
v4.0.0-rc2
v4.0.0-rc3
v4.0.0-rc4
v4.1.0
v4.1.0-rc0
v4.1.0-rc1
v4.1.0-rc2
v4.1.0-rc3
v4.1.0-rc4
v4.1.0-rc5
v4.2.0
v4.2.0-rc0
v4.2.0-rc1
v4.2.0-rc2
v4.2.0-rc3
v4.2.0-rc4
v4.2.0-rc5

v5.*

v5.0.0
v5.0.0-rc0
v5.0.0-rc1
v5.0.0-rc2
v5.0.0-rc3
v5.0.0-rc4
v5.1.0
v5.1.0-rc0
v5.1.0-rc1
v5.1.0-rc2
v5.1.0-rc3
v5.2.0
v5.2.0-rc0
v5.2.0-rc1
v5.2.0-rc2
v5.2.0-rc3
v5.2.0-rc4

v6.*

v6.0.0
v6.0.0-rc0
v6.0.0-rc1
v6.0.0-rc2
v6.0.0-rc3
v6.0.0-rc4
v6.0.0-rc5

Database specific

vanir_signatures

[
    {
        "source": "https://gitlab.com/qemu-project/qemu@05a40b172e4d691371534828078be47e7fff524c",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "hw/usb/combined-packet.c"
        },
        "id": "CVE-2021-3527-4cab5e44",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "269400761726207554090353202840902315257",
                "119307344340641259751801519692907203016",
                "326548559512027486046572904986022376072",
                "73041713572673512055747119237799287705"
            ]
        }
    },
    {
        "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "hw/usb/redirect.c"
        },
        "id": "CVE-2021-3527-503e3bf1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "167443947742219700222957101252243774600",
                "61911157104635718831387678215906986250",
                "29568767801218084532825511420516210099",
                "88460353428432787954060144963198367115",
                "293827903315787450183182877461871256600",
                "90873833699346552304369370712175299809",
                "37900396691202462739205124391483260441",
                "242002003889685031535552614557524308098",
                "51051223527711322627583931772797510787",
                "210975785683925942205039452318950435298",
                "108317851574551643512430908095355764785",
                "83811626812010732757727657331821254659"
            ]
        }
    },
    {
        "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "usbredir_handle_iso_data",
            "file": "hw/usb/redirect.c"
        },
        "id": "CVE-2021-3527-7596b36c",
        "signature_type": "Function",
        "digest": {
            "length": 3283.0,
            "function_hash": "193074547064934338397412369714946632047"
        }
    },
    {
        "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "usbredir_handle_interrupt_out_data",
            "file": "hw/usb/redirect.c"
        },
        "id": "CVE-2021-3527-adb2a197",
        "signature_type": "Function",
        "digest": {
            "length": 523.0,
            "function_hash": "166676994960784205671750699193853905376"
        }
    },
    {
        "source": "https://gitlab.com/qemu-project/qemu@05a40b172e4d691371534828078be47e7fff524c",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "usb_ep_combine_input_packets",
            "file": "hw/usb/combined-packet.c"
        },
        "id": "CVE-2021-3527-b2c39117",
        "signature_type": "Function",
        "digest": {
            "length": 1311.0,
            "function_hash": "249538098380142255455224067407001734942"
        }
    },
    {
        "source": "https://gitlab.com/qemu-project/qemu@7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "usbredir_handle_bulk_data",
            "file": "hw/usb/redirect.c"
        },
        "id": "CVE-2021-3527-d8d1898b",
        "signature_type": "Function",
        "digest": {
            "length": 1398.0,
            "function_hash": "198368438371595159633120831886524687622"
        }
    }
]