CVE-2021-20263

Name
CVE-2021-20263
Description
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
NVD Severity
low
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List https://www.openwall.com/lists/oss-security/2021/03/08/1
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1933668
CONFIRM https://security.netapp.com/advisory/ntap-20210507-0002/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:* qemu >= 5.0.0 < 5.2.50

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
qemu 3.13-community 5.2.0-r3 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable