CVE-2021-3750 – A DMA reentrancy vulnerability in QEMU's USB EH... (How to Fix)

Q: What is the severity of CVE-2021-3750?

CVE-2021-3750 has a CVSS score of 8.2 (HIGH). A DMA reentrancy vulnerability in QEMU's USB EHCI controller emulation allows malicious guests to write crafted data to controller registers during packet transfers. This can trigger use-after-free conditions, potentially leading to host QEMU process crashes or arbitrary code execution. Affects QEMU versions before 7.0.0 when USB EHCI emulation is enabled.

📋 TL;DR

A DMA reentrancy vulnerability in QEMU's USB EHCI controller emulation allows malicious guests to write crafted data to controller registers during packet transfers. This can trigger use-after-free conditions, potentially leading to host QEMU process crashes or arbitrary code execution. Affects QEMU versions before 7.0.0 when USB EHCI emulation is enabled.

💻 Affected Systems

Products:

QEMU

Versions: All versions before 7.0.0

Operating Systems: Linux, Windows, macOS - any OS running vulnerable QEMU

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when USB EHCI controller emulation is enabled. Many distributions disable USB by default in QEMU configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution within QEMU process context on the host, potentially leading to full host compromise.

🟠

Likely Case

Denial of service through QEMU process crash, disrupting all virtual machines managed by that QEMU instance.

🟢

If Mitigated

No impact if QEMU is not running or USB EHCI controller is disabled.

🌐 Internet-Facing: LOW - Requires local guest access to QEMU virtual machines.

🏢 Internal Only: HIGH - Malicious internal users with guest VM access can exploit this to compromise virtualization infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires guest VM access and knowledge of QEMU internals. Proof-of-concept code exists in bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QEMU 7.0.0 and later

Vendor Advisory: https://gitlab.com/qemu-project/qemu/-/issues/541

Restart Required: Yes

Instructions:

1. Update QEMU to version 7.0.0 or later. 2. Restart all QEMU processes and affected virtual machines. 3. Verify the fix by checking QEMU version.

🔧 Temporary Workarounds

Disable USB EHCI Controller

all

Remove USB EHCI controller from QEMU virtual machine configurations

qemu-system-x86_64 -device usb-ehci,id=usb -device usb-tablet,bus=usb.0,port=1 # Remove these lines from QEMU config

Restrict Guest Access

all

Limit which users can access QEMU guest VMs to trusted personnel only

🧯 If You Can't Patch

Isolate QEMU hosts on separate network segments with strict access controls
Implement monitoring for QEMU process crashes and unexpected restarts

🔍 How to Verify

Check if Vulnerable:

Check QEMU version with 'qemu-system-x86_64 --version' or equivalent. If version is below 7.0.0 and USB EHCI is enabled, system is vulnerable.

Check Version:

qemu-system-x86_64 --version | head -1

Verify Fix Applied:

Confirm QEMU version is 7.0.0 or higher with 'qemu-system-x86_64 --version | grep -E "7\.[0-9]+\.[0-9]+"

📡 Detection & Monitoring

Log Indicators:

QEMU process crashes with segmentation faults
Unexpected QEMU restarts in system logs
Kernel logs showing QEMU-related memory corruption

Network Indicators:

Sudden loss of connectivity to multiple VMs on same host
Unusual USB emulation traffic patterns

SIEM Query:

source="qemu.log" AND ("segmentation fault" OR "use-after-free" OR "crash")

📊 Metadata

CVE ID: CVE-2021-3750

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-416

Published: May 2, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1999073 Issue Tracking,Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/541 Exploit,Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/556 Third Party Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0003/ Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1999073 Issue Tracking,Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/541 Exploit,Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/556 Third Party Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0003/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3750, you might also want to check these: