CVE-2021-3527

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-3527
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-05-26 22:15:00 UTC
Updated2022-09-30 15:10:00 UTC
DescriptionA flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Application Qemu Qemu All All All All
Application Qemu Qemu All All All All
Operating System Redhat Enterprise Linux 8.0 All All All
Operating System Redhat Enterprise Linux 8.0 All All All

References

ReferenceSourceLinkTags
usb/redir: avoid dynamic stack allocation (CVE-2021-3527) (7ec54f9e) · Commits · QEMU / QEMU · GitLab MISC gitlab.com
CVE-2021-3527 QEMU Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[SECURITY] [DLA 3099-1] qemu security update MLIST lists.debian.org
1955695 – (CVE-2021-3527) CVE-2021-3527 QEMU: usb: unbounded stack allocation in usbredir MISC bugzilla.redhat.com
[SECURITY] [DLA 2753-1] qemu security update MLIST lists.debian.org
usb: limit combined packets to 1 MiB (CVE-2021-3527) (05a40b17) · Commits · QEMU / QEMU · GitLab MISC gitlab.com
QEMU: Multiple Vulnerabilities (GLSA 202208-27) — Gentoo security GENTOO security.gentoo.org
oss-security - CVE-2021-3527 QEMU: usb: unbounded stack allocation in usbredir MISC www.openwall.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159368 Oracle Enterprise Linux Security Update for qemu (ELSA-2021-9425)
  • 159465 Oracle Enterprise Linux Security Update for qemu (ELSA-2021-9425)
  • 159566 Oracle Enterprise Linux Security Update for kvm_utils (ELSA-2021-9568)
  • 178782 Debian Security Update for qemu (DLA 2753-1)
  • 180258 Debian Security Update for qemu (CVE-2021-3527)
  • 180995 Debian Security Update for qemu (DLA 3099-1)
  • 198432 Ubuntu Security Notification for QEMU vulnerabilities (USN-5010-1)
  • 355320 Amazon Linux Security Advisory for qemu : ALAS2-2023-2061
  • 501909 Alpine Linux Security Update for qemu
  • 502355 Alpine Linux Security Update for qemu
  • 671198 EulerOS Security Update for qemu (EulerOS-SA-2022-1034)
  • 671203 EulerOS Security Update for qemu (EulerOS-SA-2022-1014)
  • 710604 Gentoo Linux QEMU Multiple Vulnerabilities (GLSA 202208-27)
  • 750995 SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:2813-1)
  • 751013 OpenSUSE Security Update for qemu (openSUSE-SU-2021:2789-1)
  • 751053 OpenSUSE Security Update for qemu (openSUSE-SU-2021:1202-1)
  • 751068 OpenSUSE Security Update for qemu (openSUSE-SU-2021:2858-1)
  • 751322 SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:3614-1)
  • 751323 SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:3613-1)
  • 751330 OpenSUSE Security Update for qemu (openSUSE-SU-2021:3614-1)
  • 751338 SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:3635-1)
  • 900156 CBL-Mariner Linux Security Update for qemu-kvm 4.2.0
  • 903539 Common Base Linux Mariner (CBL-Mariner) Security Update for qemu-kvm (4267)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report