CVE-2022-36648

Name of the Vulnerable Software and Affected Versions QEMU versions 7.0.0 and earlier

Description The issue is related to errors in pointer dereferencing in the of dpa cmd add l2 flood module of the QEMU hardware emulator. Exploitation of this issue may allow a remote attacker to cause a denial of service and potentially execute arbitrary code on the host by executing a malformed program in the guest OS.

Recommendations For QEMU versions 7.0.0 and earlier, consider disabling the of dpa cmd add l2 flood module of the rocker device model as a temporary workaround until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the rocker device model in virtualization use cases until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.