PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-3019 Redhat CVE debrief

CVE-2023-3019 is a denial-of-service vulnerability in QEMU’s e1000e NIC emulation. The flaw is described as a DMA reentrancy issue that can lead to a use-after-free condition. In affected environments, a privileged guest user may be able to crash the QEMU process on the host. The practical impact is host-side service disruption rather than direct data compromise, but virtualization platforms that rely on QEMU should treat it as important patching debt, especially when guests are trusted to exercise advanced device paths.

Vendor
Redhat
Product
CVE-2023-3019
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2023-07-24
Original CVE updated
2026-05-12
Advisory published
2023-07-24
Advisory updated
2026-05-12

Who should care

Organizations running QEMU-based virtualization stacks, including hosts that expose the e1000e virtual NIC to guests. This includes infrastructure teams, cloud/virtualization operators, and downstream users of vendor-packaged QEMU such as Red Hat-supported environments referenced in the advisories.

Technical summary

NVD and vendor references describe CVE-2023-3019 as a use-after-free in QEMU’s e1000e emulation caused by DMA reentrancy. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H, indicating local access with high privileges inside the guest and a host availability impact. NVD maps the weakness to CWE-416. The affected upstream QEMU range is identified as versions before 8.2.0, and Red Hat advisories reference downstream fixes for supported enterprise Linux releases.

Defensive priority

Medium. The issue requires privileged guest activity, but it can terminate the host-side QEMU process and disrupt virtual machines. Prioritize remediation on virtualization hosts that use the e1000e device model or that aggregate many workloads on shared hypervisors.

Recommended defensive actions

  • Upgrade QEMU to a version that includes the fix, with NVD indicating the vulnerable upstream range ends before 8.2.0.
  • Apply the relevant vendor security updates and errata for supported Red Hat Enterprise Linux environments referenced in the advisory set.
  • Review whether your workloads actually need the e1000e virtual NIC emulation path, and track vendor guidance for product-specific mitigation or package updates.
  • Validate host patch status across all hypervisors, not just a sample subset, because the impact is process-level denial of service on the QEMU host process.

Evidence notes

The NVD record and CVE references describe a QEMU e1000e NIC emulation use-after-free caused by DMA reentrancy. The CVSS vector reflects host availability impact with high guest privileges required. Red Hat security pages, errata, and Bugzilla issue 2222351 provide downstream advisory and patch-tracking evidence, while the official CVE record and NVD detail page serve as primary public references. The source item is marked Modified on 2026-05-12, but the CVE publication date remains 2023-07-24.

Official resources

Publicly disclosed in the CVE record on 2023-07-24; the NVD source item was last modified on 2026-05-12.