CVE-2023-1544 - OpenCVE

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fedoraproject	Fedora
Qemu	Qemu Rdma

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-1544
https://bugzilla.redhat.com/show_bug.cgi?id=2180364
https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
https://nvd.nist.gov/vuln/detail/CVE-2023-1544
https://security.netapp.com/advisory/ntap-20230511-0005/
https://www.cve.org/CVERecord?id=CVE-2023-1544

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html

Mon, 03 Nov 2025 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qemu rdma
CPEs		cpe:2.3:a:qemu:rdma::::::::
Vendors & Products		Qemu rdma
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2023-03-23T00:00:00.000Z

Updated: 2025-11-03T19:27:58.423Z

Reserved: 2023-03-21T00:00:00.000Z

Link: CVE-2023-1544

Vulnrichment

Updated: 2025-11-03T19:27:58.423Z

NVD

Status : Modified

Published: 2023-03-23T20:15:14.497

Modified: 2025-11-03T20:15:59.780

Link: CVE-2023-1544

Redhat

Severity : Low

Publid Date: 2023-02-27T00:00:00Z

Links: CVE-2023-1544 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-1544", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "assignerShortName": "fedora", "dateUpdated": "2025-11-03T19:27:58.423Z", "dateReserved": "2023-03-21T00:00:00.000Z", "datePublished": "2023-03-23T00:00:00.000Z"}, "containers": {"cna": {"title": "Qemu: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."}], "affected": [{"versions": [{"status": "unaffected", "version": "8.2.0-rc0", "lessThan": "*", "versionType": "semver"}], "packageName": "qemu", "collectionURL": "https://gitlab.com/qemu-project/qemu", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}], "datePublic": "2023-02-27T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-125: Out-of-bounds Read", "timeline": [{"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank SorryMybad (Kunlun Lab) for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:34:48.957Z"}}, "adp": [{"affected": [{"vendor": "qemu", "product": "rdma", "cpes": ["cpe:2.3:a:qemu:rdma:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "8.2.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-19T18:10:20.763384Z", "id": "CVE-2023-1544", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T13:49:11.714Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364", "tags": ["x_transferred"]}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:27:58.423Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364", "tags": ["x_transferred"]}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:27:58.423Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-19T18:10:20.763384Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qemu:rdma:*:*:*:*:*:*:*:*"], "vendor": "qemu", "product": "rdma", "versions": [{"status": "affected", "version": "0", "lessThan": "8.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-19T18:11:52.361Z"}}], "cna": {"title": "Qemu: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()", "credits": [{"lang": "en", "value": "Red Hat would like to thank SorryMybad (Kunlun Lab) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "unaffected", "version": "8.2.0-rc0", "lessThan": "*", "versionType": "semver"}], "packageName": "qemu", "collectionURL": "https://gitlab.com/qemu-project/qemu", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-02-27T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-02-27T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-1544", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:34:48.957Z"}, "x_redhatCweChain": "CWE-125: Out-of-bounds Read"}}, "cveMetadata": {"cveId": "CVE-2023-1544", "state": "PUBLISHED", "dateUpdated": "2025-11-03T19:27:58.423Z", "dateReserved": "2023-03-21T00:00:00.000Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2023-03-23T00:00:00.000Z", "assignerShortName": "fedora"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CCEA83E-03FB-45F9-9CE1-D3399FBD0782", "versionEndIncluding": "7.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."}], "id": "CVE-2023-1544", "lastModified": "2025-11-03T20:15:59.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-03-23T20:15:14.497", "references": [{"source": "[email protected]", "url": "https://access.redhat.com/security/cve/CVE-2023-1544"}, {"source": "[email protected]", "tags": ["Issue Tracking", "Mailing List", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"source": "[email protected]", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"source": "[email protected]", "url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/security/cve/CVE-2023-1544"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230511-0005/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank SorryMybad (Kunlun Lab) for reporting this issue.", "bugzilla": {"description": "QEMU: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()", "id": "2180364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180364"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.", "A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU."], "name": "CVE-2023-1544", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.2/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:av/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2023-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-1544\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1544"], "statement": "The versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization are not affected by this flaw, as they are not built with PVRDMA support.", "threat_severity": "Low"}