Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ag1hME4sqcc_YAL6@karahi.librecast.net>
Date: Wed, 20 May 2026 09:22:24 +0200
From: Brett Sheffield <bacs@...recast.net>
To: oss-security@...ts.openwall.com
Subject: QEMU CXL Memory Corruption Vulnerability ("QEMUtiny")

v12-security have disclosed "QEMUtiny" [0]. Quoting their disclosure:

> QEMUtiny is a memory corruption vulnerability in QEMU's implementation of CXL
> Type-3 device emulation, reported against QEMU master 007b29752e and confirmed
> working against 5e61afe (May 11, 2026).
>
> QEMUtiny was discovered autonomously with V12 by Aaron Esau of the V12
> security team.
>
> The PoC chains two CXL mailbox bugs in hw/cxl/cxl-mailbox-utils.c: an
> out-of-bounds read in GET_LOG, followed by an out-of-bounds write in
> SET_FEATURE.
>
>    OOB read: cmd_logs_get_log() treats the CEL log offset as an array index in
>    the memmove() source expression even though the CXL mailbox offset is in
>    bytes.
>
>    OOB write: cmd_features_set_feature() accepts byte offsets into several
>    small feature write-attribute structures without checking that offset +
>    bytes_to_copy stays inside the selected structure.
>
> We reported the bugs upstream. Maintainers state CXL support is currently for
> at non-virtualization use cases, so we feel comfortable release the PoC
> publicly.
>
> The included poc.c is a working exploit that drives the emulated CXL mailbox
> from the guest through the device BAR. It depends on offsets for the specific
> QEMU build and host libc layout. The exploit can be weaponized to work
> reliably across many QEMU versions using the OOB read to scan memory. However
> this is out of scope for this PoC.

See [1] for PoC code.

>
> ...
>
> Affected Versions
>
> The full QEMUtiny chain uses two bugs.
>
>    OOB read: the vulnerable GET_LOG path was introduced by 056172691b
>    (hw/cxl/device: Add log commands (8.2.9.4) + CEL), first released in QEMU
>    v7.1.0.
>
>    OOB write: the vulnerable PPR and memory sparing SET_FEATURE paths were
>    introduced by 5e5a86bab8 and da5cafdc4d, released in QEMU v11.0.0.


[0] https://github.com/v12-security/pocs/tree/main/qemu
[1] https://github.com/v12-security/pocs/blob/main/qemu/poc.c

-- 
Brett Sheffield (he/him)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.