An out-of-bounds write issue was found in the UAS (USB Attached SCSI) device emulation of QEMU. It occurs due to missing sanity checks in the usb_uas_handle_data() function in hw/usb/dev-uas.c. In particular, the device uses the guest-supplied stream number unchecked, which can lead to guest-triggered out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. Upstream fix: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg02766.html
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1994641]
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 1994644]
From Gerd Hoffmann - USB maintainer: The UAS (usb attached scsi) device emulation is not in widespread use, the classic usb storage device using the BOT (Bulk Only transport) protocol is much more popular and the only device supported by libvirt. Also note that in RHEL the UAS device is not enabled.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3713
Looks like this issue was introduced in QEMU v1.5.0 via commit: https://gitlab.com/qemu-project/qemu/-/commit/89a453d4a5c195e6d0a3c3d4fcaacb447447115f