The world of virtualization is full of hidden corners, and sometimes fixing one security bug can plant the seeds for another. That’s the story behind CVE-2022-26353, a memory leak in *QEMU’s virtio-net* device that could cause real trouble if left unpatched. Let’s break down what happened, why it matters, how you can see it in code, and where to go for more details.
QEMU is an open-source machine emulator and virtualizer.
- *virtio-net* is a virtual network device driver that helps connect virtual machines (VMs) to networks with high performance.
QEMU is widely used as part of KVM (Kernel-based Virtual Machine) and in many cloud solutions, so bugs in QEMU can affect everything from desktop virtualization to cloud servers.
The Cause: Fixing One Bug, Creating Another
The root of CVE-2022-26353 starts with another vulnerability: CVE-2021-3748. The developers fixed that bug, but the fix introduced a new issue in QEMU version 6.2..
CVE-2021-3748 fix added some error-handling code to virtio-net.
- However, they forgot to *unmap* the cached virtqueue elements—the memory chunks used for communication between the guest and host—when an error occurred.
As a result, on every error, these memory chunks were not freed, creating a memory leak.
If this happened repeatedly, it could waste host system memory, slow down performance, or even crash the hypervisor.
Technical Details: Looking at the Code
Let’s look at a simplified code snippet to understand what went wrong.
Good Intentions, Bad Outcome
The *vring* (virtio ring) maps guest memory buffers into the host’s address space. When an error happens, we need to unmap any cached mappings or they’ll get “lost.”
Here’s the problematic code structure (simplified)
int virtio_net_receive(VirtIONet *n, ...) {
...
ret = map_virtqueue_elem(s);
if (ret < ) {
// Oops! Forgot to unmap on error
return ret;
}
// Use the mapped elements
...
// Unmap at the end (only if no error)
unmap_virtqueue_elem(s);
}
What *should* happen is that unmap_virtqueue_elem(s); needs to be called on every error path—not just when everything succeeds. Miss this and you leak memory.
The developers patched QEMU by making sure the cleanup/unmap was always run
int virtio_net_receive(VirtIONet *n, ...) {
...
ret = map_virtqueue_elem(s);
if (ret < ) {
unmap_virtqueue_elem(s); // Always unmap on error!
return ret;
}
// Normal use
...
unmap_virtqueue_elem(s); // Also on normal path
}
This ensures any allocated or mapped memory is freed, even in error cases.
Exploiting the Flaw
This bug is not a classic remote code execution or privilege escalation. Instead, it’s a denial-of-service (DoS) vector:
- If a malicious (or buggy) guest keeps triggering the same error, QEMU’s process will keep leaking memory.
- Eventually, the host can run out of memory, which may trigger the OOM (Out-Of-Memory) killer or badly degrade performance.
In multi-tenant environments (like public clouds), this could let one guest impact other guests.
Exploit example: A crafted guest network driver sends certain network descriptors that always hit the error path, causing QEMU to leak memory in a loop until the host crashes.
Affected Versions
QEMU version 6.2. is known to be affected. Other versions might be safe, especially with recent patches.
Recommendations
1. Upgrade QEMU: Make sure you’re using the latest QEMU version. Maintainers fixed this and other related bugs.
2. Monitor your hosts: If you’re using affected versions, keep an eye on QEMU process memory usage.
3. Limit VM resource usage: Proper resource limits (like cgroups in Linux) can prevent a single VM from crashing your whole host.
References and Further Reading
- QEMU Security Advisory
- CVE-2022-26353 at NVD
- QEMU virtio-net source code
- QEMU Patch for CVE-2022-26353
Final Thoughts
CVE-2022-26353 stands as a reminder: even tiny oversights in error handling can have real-world effects in critical system code. If you operate virtualized environments with QEMU, double-check your version and patches. Neglecting these details could put your infrastructure at risk—from a slow memory leak, or a determined attacker aiming for DoS.
Timeline
Published on: 03/16/2022 15:15:00 UTC
Last modified on: 08/15/2022 11:19:00 UTC