CVE-2022-26353 – A memory leak vulnerability in QEMU's virtio-ne... (How to Fix)

Q: What is the severity of CVE-2022-26353?

CVE-2022-26353 has a CVSS score of 7.5 (HIGH). A memory leak vulnerability in QEMU's virtio-net device occurs when cached virtqueue elements aren't unmapped during error conditions. This flaw affects QEMU version 6.2.0 and can lead to memory exhaustion and unexpected behavior in virtualized environments. Organizations using QEMU for virtualization with virtio-net devices are affected.

📋 TL;DR

A memory leak vulnerability in QEMU's virtio-net device occurs when cached virtqueue elements aren't unmapped during error conditions. This flaw affects QEMU version 6.2.0 and can lead to memory exhaustion and unexpected behavior in virtualized environments. Organizations using QEMU for virtualization with virtio-net devices are affected.

💻 Affected Systems

Products:

QEMU

Versions: 6.2.0 only

Operating Systems: Linux distributions with QEMU 6.2.0, Other OS using QEMU virtualization

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using virtio-net devices. The vulnerability was introduced by the fix for CVE-2021-3748.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Qemu by Qemu

View all CVEs affecting Qemu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory exhaustion leading to QEMU process crash, denial of service for all VMs on the host, and potential data loss from interrupted virtual machines.

🟠

Likely Case

Gradual memory consumption causing performance degradation in virtualized environments, potentially requiring host reboots to restore normal operation.

🟢

If Mitigated

Limited impact with proper monitoring and resource limits, though still requiring eventual patching to prevent accumulation issues.

🌐 Internet-Facing: LOW - QEMU is typically used internally for virtualization, not directly exposed to the internet.

🏢 Internal Only: MEDIUM - Affects virtualization infrastructure that could impact multiple internal systems and services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering error conditions in virtio-net operations, which may require specific network configurations or workloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 6.2.0, specifically fixed in commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37

Vendor Advisory: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html

Restart Required: Yes

Instructions:

1. Update QEMU to version 6.2.1 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade qemu' (Debian/Ubuntu) or 'sudo yum update qemu' (RHEL/CentOS). 3. Restart QEMU processes and affected virtual machines.

🔧 Temporary Workarounds

Disable virtio-net

all

Use alternative network device types instead of virtio-net for virtual machines

Modify VM configuration to use e1000 or other network device types instead of virtio

Resource monitoring and limits

linux

Implement strict memory limits and monitoring for QEMU processes

Set memory limits: 'systemctl set-property qemu.service MemoryMax=value'
Monitor with: 'watch -n 5 ps aux | grep qemu'

🧯 If You Can't Patch

Monitor QEMU process memory usage closely and restart if abnormal growth is detected
Consider migrating critical VMs to unaffected QEMU versions or alternative virtualization platforms

🔍 How to Verify

Check if Vulnerable:

Check QEMU version: 'qemu-system-x86_64 --version' and verify if it's exactly 6.2.0

Check Version:

qemu-system-x86_64 --version | head -1

Verify Fix Applied:

Verify QEMU version is 6.2.1 or later, or check if commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37 is present in source

📡 Detection & Monitoring

Log Indicators:

Increasing memory usage by QEMU processes over time
OOM killer events related to QEMU
VM crashes or unexpected restarts

Network Indicators:

Degraded VM network performance as memory pressure increases

SIEM Query:

process.name:qemu AND (memory.usage > threshold OR event.type:oom_kill)

📊 Metadata

CVE ID: CVE-2022-26353

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-772

Published: March 16, 2022

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/qemu-project/qemu/-/commit/abe300d9d894f7138e1af7c8e9c88c04bfe98b37 Patch,Third Party Advisory
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html Mailing List,Patch,Vendor Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220425-0003/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5133 Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/commit/abe300d9d894f7138e1af7c8e9c88c04bfe98b37 Patch,Third Party Advisory
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html Mailing List,Patch,Vendor Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220425-0003/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5133 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26353, you might also want to check these: