STAR Labs disclosed two vulnerabilities in QEMU’s QXL para-virtualized video device, tracked as CVE-2021-4206 and CVE-2021-4207, that can trigger heap overflows during cursor handling. In the first flaw, guest-controlled cursor width and height values can cause an integer overflow in cursor_alloc(), leading to an undersized heap allocation before qxl_unpack_chunks() copies more data than allocated with memcpy(). In the second, a race condition allows guest-controlled cursor metadata to change after allocation but before size calculations, creating a mismatch that again lets qxl_unpack_chunks() write past the heap buffer.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The vendor released fixes for CVE-2021-4206 and CVE-2021-4207, two QXL-related heap overflow vulnerabilities in QEMU. The flaws could be exploited by a highly privileged attacker inside a guest VM using a QXL video device with VNC graphics.
STAR Labs disclosed two QEMU QXL heap overflow vulnerabilities, CVE-2021-4206 and CVE-2021-4207, to the vendor. Both issues involved guest-controlled cursor metadata leading to heap corruption under specific QXL and VNC configurations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.