CVE-2021-3545: 
NixOS vulnerability analysis and mitigation

CVE-2021-3545 is an information disclosure vulnerability discovered in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU versions up to and including 6.0. The vulnerability was identified in the virglcmdgetcapsetinfo() function within contrib/vhost-user-gpu/virgl.c, which could occur due to the read of uninitialized memory. The issue was discovered and reported by Li Qiang of Tianchen Security Lab (Ant Group) and was disclosed on May 31, 2021 (CVE Details, OSS Security).

The vulnerability exists in the virglcmdgetcapsetinfo() function located in contrib/vhost-user-gpu/virgl.c of QEMU's vhost-user GPU implementation. The issue stems from reading uninitialized memory, which could potentially expose sensitive information. The vulnerability was addressed in upstream commit 121841b2 (OSS Security).

When successfully exploited, this vulnerability could allow a malicious guest to leak memory from the host system, potentially exposing sensitive information. The vulnerability received a CVSS v3.1 score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NetApp Advisory).

The vulnerability was fixed in QEMU version 7.0.0. Users are advised to upgrade to this version or later to address the issue. The fix was implemented through upstream commit 121841b2 in the QEMU project repository (OSS Security, Gentoo Security).