CVE-2021-3544: 
NixOS vulnerability analysis and mitigation

Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The vulnerabilities exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory after effective lifetime (CVE Database, Ubuntu Security).

The vulnerability affects the virtio vhost-user GPU device implementation in QEMU, specifically in the files vhost-user-gpu/vhost-user-gpu.c and vhost-user-gpu/virgl.c. Multiple memory leaks were identified in various functions including vgresourcecreate2d(), vgresourceattachbacking(), vgresourcedestroy(), virglcmdresourceunref(), and virglresourceattachbacking() (OSS Security, Red Hat Bugzilla).

The memory leaks could allow a malicious guest to leak memory from the host system or potentially crash the QEMU process on the host, resulting in a denial of service condition. The vulnerability has been assigned a CVSS score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (NetApp Security).

The issues have been fixed in QEMU version 7.0.0 and later. Multiple patches were released to address the memory leaks, with fixes implemented through several commits to the QEMU project repository. For systems that cannot be immediately updated, there are no known workarounds (Gentoo Security).