CVE-2020-14394
Publication date 17 August 2022
Last updated 9 June 2026
Ubuntu priority
Description
An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| qemu-kvm | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| qemu | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1:6.2+dfsg-2ubuntu6.16
|
|
| 20.04 LTS focal |
Fixed 1:4.2-3ubuntu6.28
|
|
| 18.04 LTS bionic |
Fixed 1:2.11+dfsg-1ubuntu7.42+esm5
|
|
| 16.04 LTS xenial |
Fixed 1:2.5+dfsg-5ubuntu10.51+esm4
|
|
| 14.04 LTS trusty |
Fixed 2.0.0+dfsg-2ubuntu1.47+esm6
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
mdeslaur
impact is limited, a privileged guest user can only use this issue to perform a denial of service to their own instance
Patch details
| Package | Patch details |
|---|---|
| qemu |
Severity score breakdown
CVSS version: CVSS v3.0
Base score
3.2 · Low
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L
References
Related Ubuntu Security Notices (USN)
- USN-6567-1
- QEMU vulnerabilities
- 8 January 2024
- USN-8412-1
- QEMU vulnerabilities
- 9 June 2026