Researchers have recently uncovered vulnerabilities in QEMU that allow a guest system to gain root access to the host environment, following their identification of the Fragnesia vulnerability in the Linux kernel. The issue has been dubbed QEMUtiny, although it has not yet been assigned a CVE ID. An exploit has been developed, which exploits two vulnerabilities in the device emulation code CXL (Compute Express Link).
Both vulnerabilities have been found in the code cxl-mailbox-utils.c. The first vulnerability, present since QEMU 7.1.0, results in memory reading from an area outside the allocated buffer due to an indexing error in the cmd_logs_get_log() function. The second vulnerability, starting from QEMU 11.0.0, leads to a buffer overflow in the cmd_features_set_feature() function due to mishandling of offsets on structures.
The attack is only feasible on the latest branch of QEMU 11.0.0. QEMU developers have not yet revealed any information regarding a fix for these vulnerabilities. Prior to disclosing the issue, researchers informed the developers, who mentioned that support for the CXL device in QEMU was not intended for virtualization.
The exploit was tested using the QEMU codebase from May 11 with the latest commit 5e61afe. The exploit’s functionality relies on the memory structure of each specific QEMU build and system libc. Researchers believe that by leveraging the vulnerability leading to unauthorized memory access, a universal exploit can be crafted for various QEMU versions.