CVE-2021-3546: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIOGPUCMDGETCAPSET' command from the guest. This vulnerability is tracked as CVE-2021-3546 and was discovered in early 2021 (MITRE CVE, NVD).

The vulnerability exists in the virglcmdgetcapset() function in contrib/vhost-user-gpu/virgl.c and occurs during the processing of the 'VIRTIOGPUCMDGET_CAPSET' command. This issue is analogous to CVE-2016-10028 in virtio-gpu-3d. The vulnerability has a CVSS base score of 8.2 (High) with the vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (Ubuntu Security).

When successfully exploited, this vulnerability could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute code with the privileges of the QEMU process (MITRE CVE, Red Hat Bugzilla).

The vulnerability has been fixed in QEMU version 6.1 and later. For systems that cannot immediately update, it is recommended to only expose the web interface to trusted networks and not to the internet. Several Linux distributions have released patches for their respective versions, including Ubuntu, Debian (in version 1:5.2+dfsg-11+deb11u1), and Gentoo (Debian Security, Gentoo Security).