CVE-2021-3592
3.8 LOWAn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU
Published: 2021-06-15 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 3.8 LOW
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- CWE
- CWE-824
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, enterprise_linux, fedora |
| fedoraproject | debian_linux, enterprise_linux, fedora |
| libslirp_project | debian_linux, enterprise_linux, fedora |
| redhat | debian_linux, enterprise_linux, fedora |
Description
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3592
- [Patch]https://bugzilla.redhat.com/show_bug.cgi?id=1970484
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00004.html
- [Other]https://lists.debian.org/debian-lts-announce/2023/03/msg00013.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCKWZWY64EHTOQMLVLTSZ4AA27EWRJMH/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGPQZFVJCFGDSISFXPCQTTBBD7QZLJKI/
- [Other]https://security.gentoo.org/glsa/202107-44
- [Other]https://security.netapp.com/advisory/ntap-20210805-0004/
- [Patch]https://bugzilla.redhat.com/show_bug.cgi?id=1970484
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00004.html
- [Other]https://lists.debian.org/debian-lts-announce/2023/03/msg00013.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCKWZWY64EHTOQMLVLTSZ4AA27EWRJMH/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGPQZFVJCFGDSISFXPCQTTBBD7QZLJKI/
- [Other]https://security.gentoo.org/glsa/202107-44
- [Other]https://security.netapp.com/advisory/ntap-20210805-0004/
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-47908 — Dreamweaver Desktop versions 21.7 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbit... (7.8 HIGH)
- CVE-2026-47320 — Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversiz... (6.1 MEDIUM)
- CVE-2026-42959 — NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a cr... (7.5 HIGH)
- CVE-2026-2100 — A flaw was found in p11-kit (5.3 MEDIUM)
- CVE-2025-66588 — In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which ... (7.8 HIGH)