CVE-2022-36648 — CRITICAL (10.0)

Q: How severe is CVE-2022-36648?

CVE-2022-36648 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-36648?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu.

Vulnerability Description

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Qemu	Qemu	<= 7.0.0

Related Weaknesses (CWE)

CWE-476

References

FAQ

What is CVE-2022-36648?

CVE-2022-36648 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the h...

How severe is CVE-2022-36648?

CVE-2022-36648 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-36648?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu.