CVE-2023-40360: 
NixOS vulnerability analysis and mitigation

QEMU through version 8.0.4 contains a NULL pointer dereference vulnerability (CVE-2023-40360) in the nvmedirectivereceive function within hw/nvme/ctrl.c. The vulnerability exists because the code fails to verify whether an endurance group is configured before checking if Flexible Data Placement is enabled (NVD, Debian Tracker).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue specifically occurs in the nvmedirectivereceive function where there is no validation of the endurance group configuration before accessing its properties. This vulnerability was introduced in QEMU version 8.0.0 and affects all versions up to and including 8.0.4 (NVD, Ubuntu Security).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through a NULL pointer dereference. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NetApp Advisory).

The vulnerability has been fixed in QEMU version 8.1.0-rc3 through a patch that adds proper validation of the endurance group configuration. The fix was implemented in commit 6c8f8456cb0b239812dee5211881426496da7b98. Users are advised to upgrade to a patched version of QEMU (QEMU Patch).