CVE-2021-32846

Name of the Vulnerable Software and Affected Versions HyperKit version 0.20210107

Description HyperKit is a toolkit for embedding hypervisor capabilities in an application. The function pci vtsock proc tx in virtio-sock can lead to uninitialized memory use due to an insufficient check for the return value. If the function returns -1 upon encountering an unrecoverable error, the negative return value can be used by iovec pull in a while condition, potentially leading to further corruption because iovec pull is not designed to handle a negative iov len. This issue may cause a guest to crash the host, resulting in a denial of service, and under certain circumstances, memory corruption.

Recommendations For HyperKit version 0.20210107, update to a version that includes the fix from commit af5eba2360a7351c08dfd9767d9be863a50ebaba to resolve the issue. As a temporary workaround, consider restricting the use of the virtio-sock module to minimize the risk of exploitation. Avoid using the pci vtsock proc tx function until the issue is resolved.