Vulnerability Details CVE-2023-40360
QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.2%
CVSS Severity
CVSS v3 Score 5.5
References
- https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98
- https://gitlab.com/qemu-project/qemu/-/issues/1815
- https://security.netapp.com/advisory/ntap-20230915-0004/
- https://www.qemu.org/docs/master/system/security.html
- https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98
- https://gitlab.com/qemu-project/qemu/-/issues/1815
- https://security.netapp.com/advisory/ntap-20230915-0004/
- https://www.qemu.org/docs/master/system/security.html
Products affected by CVE-2023-40360
-
cpe:2.3:a:qemu:qemu:8.0.0
-
cpe:2.3:a:qemu:qemu:8.0.1
-
cpe:2.3:a:qemu:qemu:8.0.2
-
cpe:2.3:a:qemu:qemu:8.0.3
-
cpe:2.3:a:qemu:qemu:8.0.4