CVE-2022-1050: 
NixOS vulnerability analysis and mitigation

A flaw was discovered in the QEMU implementation of VMWare's paravirtual RDMA device (CVE-2022-1050). This vulnerability, reported on March 29, 2022, allows a crafted guest driver to execute hardware commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. The vulnerability affects QEMU versions up to 6.2.0 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The flaw is classified as CWE-416 (Use After Free) and specifically affects the QEMU implementation when processing hardware commands in the paravirtual RDMA device (NVD, Red Hat Bugzilla).

The vulnerability could allow a privileged guest user to potentially execute arbitrary code with the privileges of the QEMU process on the host, leading to a denial of service condition or system compromise. The impact is particularly severe in virtualized environments where QEMU is used for hardware emulation (Debian LTS).

The vulnerability has been fixed in QEMU version 8.0.0. Various Linux distributions have released patches for their respective versions. For Debian 10 (buster), the fix was included in version 1:3.1+dfsg-8+deb10u10, although PVRDMA was disabled in this release. Ubuntu users can run 'sudo pro fix USN-6167-1' to address the vulnerability (Debian LTS, Red Hat Bugzilla).