Impact
A flaw in freedesktop.org libslirp allows an out‑of‑bounds heap read and integer underflow during TCP urgent data handling. By sending crafted TCP segments that manipulate the URG flag and urgent pointer, an attacker can read up to gigabytes of host heap memory. The exposed data may include sensitive information such as credentials or cryptographic material, representing a confidentiality breach (CWE‑125). The CVSS score of 6.5 reflects that the impact is limited to data leakage rather than direct control or denial.
Affected Systems
The vulnerability exists in libslirp versions before v4.9.2. Hosts running the library in hyper‑visor environments such as QEMU are affected. No mention of newer major releases indicates that only older builds are vulnerable.
Risk and Exploitability
Exploitation requires a privileged guest VM attacker with root or CAP_NET_RAW capabilities to send the malicious packets. The flaw is not listed in CISA KEV, and no EPSS score is available, suggesting no documented exploitation yet. Given the need for host‑level privileges and the data‑leak nature, the overall risk is moderate until the package is updated.
OpenCVE Enrichment