An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
Looks like no fix yet.
A few others triggerable by guests.
CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
CVE-2021-20257: infinite loop in e1000 NIC emulator.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html
CVE-2021-3416: infinite loops in various NIC emulators.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation.
One patch landed upstream so far:
Author: Jason Wang <email@example.com>
Date: Wed Feb 24 13:45:28 2021 +0800
e1000: fail early for evil descriptor