In QEMU 4.2.0, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CREATE(Triage):(User=admin) [CVE-2020-13362|https://nvd.nist.gov/vuln/detail/CVE-2020-13362]