CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. Looks like no fix yet.
A few others triggerable by guests. CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html CVE-2021-20257: infinite loop in e1000 NIC emulator. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html CVE-2021-3416: infinite loops in various NIC emulators. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation. One patch landed upstream so far: commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:45:28 2021 +0800 e1000: fail early for evil descriptor
