CVE-2019-20382

QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.

Published: Mar 5, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-20382
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.5
AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v2:

Severity: Low
Score: 2.7
AV:A/AC:L/Au:S/C:N/I:N/A:P

CWEs:

CWE-401

Affected Software
References

Software	From	Fixed in
qemu / qemu	4.1.0	4.1.0.x
opensuse / leap	15.1	15.1.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.10	19.10.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	16.04	16.04.x

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html
http://www.openwall.com/lists/oss-security/2020/03/05/1
https://git.qemu.org/?p=qemu.git;a=commit;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html
https://usn.ubuntu.com/4372-1/
https://www.debian.org/security/2020/dsa-4665

Vulnerability Database

CVE-2019-20382

Deep Security Visibility Without the Complexity