{"id":"CVE-2021-3748","details":"A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.","modified":"2026-04-11T16:26:05.869179Z","published":"2022-03-23T20:15:09.893Z","related":["ALSA-2022:1759","SUSE-SU-2021:3519-1","SUSE-SU-2021:3604-1","SUSE-SU-2021:3605-1","SUSE-SU-2021:3613-1","SUSE-SU-2021:3614-1","SUSE-SU-2021:3635-1","SUSE-SU-2021:3653-1","openSUSE-SU-2021:1461-1","openSUSE-SU-2021:3604-1","openSUSE-SU-2021:3605-1","openSUSE-SU-2021:3614-1","openSUSE-SU-2024:11597-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220425-0004/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-27"},{"type":"FIX","url":"https://ubuntu.com/security/CVE-2021-3748"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1998514"},{"type":"FIX","url":"https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6"},{"type":"FIX","url":"https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg00388.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qemu/qemu","events":[{"introduced":"25c4fde17775821182a76fb8ea2ba2223c5729b9"},{"fixed":"44f28df24767cf9dca1ddc9b23157737c4cbb645"},{"introduced":"0"},{"last_affected":"c25df57ae8f9fe1c72eee2dab37d76d904ac382e"},{"introduced":"0"},{"last_affected":"7c949c53e936aa3a658d84ab53bae5cadaa5d59c"},{"introduced":"0"},{"last_affected":"c1eb2ddf0f8075faddc5f7c3d39feae3e8e9d6b4"},{"fixed":"bedd7e93d01961fcb16a97ae45d93acf357e11f6"}],"database_specific":{"versions":[{"introduced":"0.10.0"},{"fixed":"6.2.0"},{"introduced":"0"},{"last_affected":"9.0"},{"introduced":"0"},{"last_affected":"10.0"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["v0.1.0","v0.1.1","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.11.0-rc0","v0.12.0-rc0","v0.13.0-rc0","v0.14.0-rc0","v0.2.0","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.5.0","v1.0","v1.0-rc0","v1.0-rc1","v1.0-rc2","v1.0-rc3","v1.0-rc4","v1.1-rc0","v1.1-rc1","v1.1-rc2","v1.1.0","v1.1.0-rc2","v1.1.0-rc3","v1.1.0-rc4","v1.2.0","v1.2.0-rc0","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.3.0","v1.3.0-rc0","v1.3.0-rc1","v1.3.0-rc2","v1.4.0","v1.4.0-rc0","v1.4.0-rc1","v1.4.0-rc2","v1.5.0","v1.5.0-rc0","v1.5.0-rc1","v1.5.0-rc2","v1.5.0-rc3","v1.6.0","v1.6.0-rc0","v1.6.0-rc1","v1.6.0-rc2","v1.6.0-rc3","v1.7.0","v1.7.0-rc0","v1.7.0-rc1","v1.7.0-rc2","v10.0.0","v10.0.0-rc0","v10.0.0-rc1","v10.0.0-rc2","v10.0.0-rc3","v10.0.0-rc4","v2.0.0","v2.0.0-rc0","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.1.0","v2.1.0-rc0","v2.1.0-rc1","v2.1.0-rc2","v2.1.0-rc3","v2.1.0-rc4","v2.1.0-rc5","v2.10.0","v2.10.0-rc0","v2.10.0-rc1","v2.10.0-rc2","v2.10.0-rc3","v2.10.0-rc4","v2.11.0","v2.11.0-rc0","v2.11.0-rc1","v2.11.0-rc2","v2.11.0-rc3","v2.11.0-rc4","v2.11.0-rc5","v2.12.0","v2.12.0-rc0","v2.12.0-rc1","v2.12.0-rc2","v2.12.0-rc3","v2.12.0-rc4","v2.2.0","v2.2.0-rc0","v2.2.0-rc1","v2.2.0-rc2","v2.2.0-rc3","v2.2.0-rc4","v2.2.0-rc5","v2.3.0","v2.3.0-rc0","v2.3.0-rc1","v2.3.0-rc2","v2.3.0-rc3","v2.3.0-rc4","v2.4.0","v2.4.0-rc0","v2.4.0-rc1","v2.4.0-rc2","v2.4.0-rc3","v2.4.0-rc4","v2.5.0","v2.5.0-rc0","v2.5.0-rc1","v2.5.0-rc2","v2.5.0-rc3","v2.5.0-rc4","v2.6.0","v2.6.0-rc0","v2.6.0-rc1","v2.6.0-rc2","v2.6.0-rc3","v2.6.0-rc4","v2.6.0-rc5","v2.7.0","v2.7.0-rc0","v2.7.0-rc1","v2.7.0-rc2","v2.7.0-rc3","v2.7.0-rc4","v2.7.0-rc5","v2.8.0","v2.8.0-rc0","v2.8.0-rc1","v2.8.0-rc2","v2.8.0-rc3","v2.8.0-rc4","v2.9.0","v2.9.0-rc0","v2.9.0-rc1","v2.9.0-rc2","v2.9.0-rc3","v2.9.0-rc4","v2.9.0-rc5","v3.0.0","v3.0.0-rc0","v3.0.0-rc1","v3.0.0-rc2","v3.0.0-rc3","v3.0.0-rc4","v3.1.0","v3.1.0-rc0","v3.1.0-rc1","v3.1.0-rc2","v3.1.0-rc3","v3.1.0-rc4","v3.1.0-rc5","v4.0.0","v4.0.0-rc0","v4.0.0-rc1","v4.0.0-rc2","v4.0.0-rc3","v4.0.0-rc4","v4.1.0","v4.1.0-rc0","v4.1.0-rc1","v4.1.0-rc2","v4.1.0-rc3","v4.1.0-rc4","v4.1.0-rc5","v4.2.0","v4.2.0-rc0","v4.2.0-rc1","v4.2.0-rc2","v4.2.0-rc3","v4.2.0-rc4","v4.2.0-rc5","v5.0.0","v5.0.0-rc0","v5.0.0-rc1","v5.0.0-rc2","v5.0.0-rc3","v5.0.0-rc4","v5.1.0","v5.1.0-rc0","v5.1.0-rc1","v5.1.0-rc2","v5.1.0-rc3","v5.2.0","v5.2.0-rc0","v5.2.0-rc1","v5.2.0-rc2","v5.2.0-rc3","v5.2.0-rc4","v6.0.0","v6.0.0-rc0","v6.0.0-rc1","v6.0.0-rc2","v6.0.0-rc3","v6.0.0-rc4","v6.0.0-rc5","v6.1.0","v6.1.0-rc0","v6.1.0-rc1","v6.1.0-rc2","v6.1.0-rc3","v6.1.0-rc4","v6.2.0","v6.2.0-rc0","v6.2.0-rc1","v6.2.0-rc3","v6.2.0-rc4","v7.0.0","v7.0.0-rc0","v7.0.0-rc1","v7.0.0-rc2","v7.0.0-rc3","v7.0.0-rc4","v7.1.0","v7.1.0-rc0","v7.1.0-rc1","v7.1.0-rc2","v7.1.0-rc3","v7.1.0-rc4","v7.2.0","v7.2.0-rc0","v7.2.0-rc1","v7.2.0-rc2","v7.2.0-rc3","v7.2.0-rc4","v8.0.0","v8.0.0-rc0","v8.0.0-rc1","v8.0.0-rc2","v8.0.0-rc3","v8.0.0-rc4","v8.1.0","v8.1.0-rc0","v8.1.0-rc1","v8.1.0-rc2","v8.1.0-rc3","v8.1.0-rc4","v8.2.0","v8.2.0-rc0","v8.2.0-rc1","v8.2.0-rc2","v8.2.0-rc3","v8.2.0-rc4","v9.0.0","v9.0.0-rc0","v9.0.0-rc1","v9.0.0-rc2","v9.0.0-rc3","v9.0.0-rc4","v9.1.0","v9.1.0-rc0","v9.1.0-rc1","v9.1.0-rc2","v9.1.0-rc3","v9.1.0-rc4","v9.2.0","v9.2.0-rc0","v9.2.0-rc1","v9.2.0-rc2","v9.2.0-rc3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]},{"events":[{"introduced":"0"},{"last_affected":"21.10"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]}],"vanir_signatures_modified":"2026-04-11T16:26:05Z","vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"14770436477810317024841570451115134811","length":2573},"id":"CVE-2021-3748-63a59022","target":{"file":"hw/net/virtio-net.c","function":"virtio_net_receive_rcu"},"signature_type":"Function","source":"https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["139153011538441137443425885686769242333","19540242830036793152453911828632731321","261971490103105366185518487713065779809","274886746361350886814583306928039415769","117959129944310761007430404673458701437","5575847093833653024836064788740198304","164237186261067155017967658108932275749","41568830874794595423836708667899720764","204979634018619945530189025481137025000","200236562904088385766774625108108467906","81898909521356078802753323202918312736","276622600102277512342777352275962185101","17686686804455707955864788085310989909","170904657820958641358685323667703360232","20732383499291189554247390592397864623","104773052961933199236430616329051629652","30148309516638926374883201050847486195","263405443713322288624440308518443648446","43538856978998950359608723105896316473","135835704044671834425133687155795544491","53527990305242486942412336048341160685","298719444517055338988398675801988708732","162604734227819747815593254388199626104","202154863577782391529005710899301295034","102630445816527384348936569443744793486","107375714520255535024167627018508704968","337770536592677363347602484056375594828","329754777237505547929585834740495934718","309636159462361027173374396889853120124","172880516596470903830738622624501085703","112643539357749891484797476986660340522","259192748648542531221030014246801045362"]},"id":"CVE-2021-3748-b289847e","target":{"file":"hw/net/virtio-net.c"},"signature_type":"Line","source":"https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3748.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}