Moderate: qemu-kvm security and bug fix update

Topic

An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

Security Fix(es):

• QEMU: virtio-net: map leaking on error during receive (CVE-2022-26353)
• QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak (CVE-2022-26354)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 (BZ#2071102)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

• Red Hat Enterprise Linux for IBM z Systems 9 s390x

Fixes

• BZ - 2063197 - CVE-2022-26353 QEMU: virtio-net: map leaking on error during receive
• BZ - 2063257 - CVE-2022-26354 QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak

CVEs

• CVE-2022-26353
• CVE-2022-26354

References

• https://access.redhat.com/security/updates/classification/#moderate