MidnightBSD

Advisories for qemu

CVE-2008-4539 HIGH

Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 4.0
canonical ubuntu_linux 8.04
kvm_qumranet kvm *
qemu qemu *
canonical ubuntu_linux 8.10
debian debian_linux 5.0
CVE-2009-3616 HIGH

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux_workstation 5.0
redhat enterprise_linux_server 5.0
CVE-2010-0297 HIGH

Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.4.2
qemu qemu 0.2.0
qemu qemu 0.9.1
qemu qemu 0.1.6
qemu qemu 0.10.1
qemu qemu 0.5.1
qemu qemu 0.4.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.5.4
qemu qemu 0.11.0-rc2
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.1.5
qemu qemu 0.10.4
qemu qemu 0.10.3
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.6.0
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.7.0
qemu qemu 0.10.0
qemu qemu 0.1.2
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.7.2
qemu qemu 0.1.1
qemu qemu 0.3.0
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2011-0011 MEDIUM

qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
qemu qemu 0.10.4
qemu qemu 0.1.6
qemu qemu 0.10.1
qemu qemu 0.10.3
qemu qemu 0.1.4
qemu qemu 0.10.0
qemu qemu 0.1.2
qemu qemu 0.10.5
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.1.1
qemu qemu 0.10.6
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.11.0
qemu qemu 0.1.5
CVE-2011-1750 HIGH

Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.14.0
CVE-2011-1751 HIGH

The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2011-2212 HIGH

Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2011-2527 LOW

The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
qemu qemu 0.4.2
qemu qemu 0.2.0
qemu qemu 0.9.1
qemu qemu 0.1.6
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 0.11.1
qemu qemu 0.14.1
qemu qemu 0.4.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 0.11.0-rc0
qemu qemu 0.15.0
qemu qemu 0.11.0
qemu qemu 0.1.5
qemu qemu 0.10.4
qemu qemu 0.14.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.11.0-rc1
qemu qemu 0.12.5
qemu qemu 0.9.0
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 0.1.4
qemu qemu 0.7.0
qemu qemu 0.10.0
qemu qemu 0.1.2
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.3.0
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.8.1
CVE-2011-3346 MEDIUM

Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
xen xen -
redhat enterprise_linux 5
qemu qemu 0.15.0
CVE-2011-4111 MEDIUM

Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux_server_supplementary 6.1.z
redhat enterprise_linux 6.0
qemu qemu 0.15.0
qemu qemu 1.0
CVE-2012-2652 MEDIUM

The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
qemu qemu 1.0
CVE-2012-3515 HIGH

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
suse linux_enterprise_desktop 10
xen xen 4.0.0
redhat virtualization 5.0
opensuse opensuse 12.1
suse linux_enterprise_desktop 11
redhat enterprise_linux_workstation 6.0
redhat virtualization 6.0
canonical ubuntu_linux 10.04
suse linux_enterprise_software_development_kit 10
suse linux_enterprise_server 10
redhat virtualization 3.0
redhat enterprise_linux_eus 6.3
opensuse opensuse 12.2
canonical ubuntu_linux 11.04
debian debian_linux 6.0
qemu qemu *
redhat enterprise_linux_workstation 5.0
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_server 11
redhat enterprise_linux_desktop 5.0
canonical ubuntu_linux 11.10
debian debian_linux 7.0
redhat enterprise_linux_server 5.0
opensuse opensuse 11.4
canonical ubuntu_linux 12.04
CVE-2012-6075 HIGH

Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 6.0
fedoraproject fedora 16
redhat virtualization 3.0
redhat enterprise_linux_desktop 6.0
fedoraproject fedora 18
opensuse opensuse 12.2
redhat enterprise_linux_server_aus 5.9
redhat enterprise_linux_eus 6.4
redhat enterprise_linux_eus 5.9
debian debian_linux 6.0
opensuse opensuse 12.1
qemu qemu *
redhat enterprise_linux_workstation 5.0
redhat enterprise_linux_workstation 6.0
canonical ubuntu_linux 12.10
suse linux_enterprise_server 11
redhat enterprise_linux_desktop 5.0
canonical ubuntu_linux 10.04
canonical ubuntu_linux 11.10
redhat enterprise_linux_server_aus 6.4
fedoraproject fedora 17
redhat enterprise_linux_server 5.0
canonical ubuntu_linux 12.04
CVE-2013-2007 MEDIUM

The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
qemu qemu 1.4.1
CVE-2013-2016 MEDIUM

A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
novell open_desktop_server 11.0
qemu qemu *
qemu qemu 1.5.0
novell open_enterprise_server 11.0
debian debian_linux 8.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2013-4148 HIGH

Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
qemu qemu 1.5.0
qemu qemu 1.4.1
qemu qemu 1.5.1
qemu qemu 1.6.1
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 1.6.0
qemu qemu 1.7.1
qemu qemu 1.5.2
qemu qemu 1.0
qemu qemu 1.0.1
qemu qemu 1.1
qemu qemu 1.5.3
CVE-2013-4149 HIGH

Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 1.5.0
qemu qemu 1.3.1
qemu qemu 1.4.1
qemu qemu 1.3.0
qemu qemu 1.5.1
qemu qemu 1.6.1
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 1.6.0
qemu qemu 1.7.1
qemu qemu 1.5.2
qemu qemu 1.5.3
CVE-2013-4150 HIGH

The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 1.5.0
qemu qemu 1.6.2
qemu qemu 1.6.0
qemu qemu 1.7.1
qemu qemu 1.5.1
qemu qemu 1.5.2
qemu qemu 1.6.1
qemu qemu 1.5.3
CVE-2013-4151 HIGH

The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
qemu qemu 1.5.0
qemu qemu 1.4.1
qemu qemu 1.5.1
qemu qemu 1.6.1
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 1.6.0
qemu qemu 1.7.1
qemu qemu 1.5.2
qemu qemu 1.0
qemu qemu 1.0.1
qemu qemu 1.1
qemu qemu 1.5.3
CVE-2013-4344 HIGH

Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux_server 6.0
opensuse opensuse 12.3
redhat virtualization 3.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 12.10
opensuse opensuse 13.1
canonical ubuntu_linux 13.10
canonical ubuntu_linux 12.04
CVE-2013-4375 LOW

The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.3
xen xen 4.2.2
xen xen 4.3.0
xen xen 4.2.0
qemu qemu 1.1
CVE-2013-4377 LOW

Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
qemu qemu 1.4.2
qemu qemu 1.5.0
qemu qemu 1.6.0
qemu qemu 1.4.1
qemu qemu 1.4.0
qemu qemu 1.5.1
qemu qemu 1.5.2
qemu qemu 1.5.3
CVE-2013-4526 HIGH

Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4527 HIGH

Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4529 HIGH

Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4530 HIGH

Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4531 HIGH

Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4532 MEDIUM

Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 10.04
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
debian debian_linux 10.0
CVE-2013-4533 HIGH

Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4534 HIGH

Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4535 HIGH

The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux_server 6.0
redhat virtualization 3.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server_tus 6.5
CVE-2013-4536 MEDIUM

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2013-4537 HIGH

The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4538 HIGH

Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4539 HIGH

Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4540 HIGH

Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
opensuse opensuse 13.1
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
opensuse opensuse 12.3
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4541 HIGH

The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4542 HIGH

The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2013-4544 MEDIUM

hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu 1.5.0
qemu qemu 1.4.1
qemu qemu 1.5.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 13.10
qemu qemu 1.6.1
qemu qemu *
qemu qemu 1.4.2
qemu qemu 1.6.2
canonical ubuntu_linux 12.10
canonical ubuntu_linux 10.04
qemu qemu 1.6.0
qemu qemu 1.5.2
qemu qemu 2.0.0
qemu qemu 1.0
qemu qemu 1.0.1
canonical ubuntu_linux 12.04
qemu qemu 1.1
qemu qemu 1.5.3
CVE-2013-6399 HIGH

Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2014-0142 LOW

QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2014-0143 MEDIUM

Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux 6.0
CVE-2014-0144

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 6.5
qemu qemu *
redhat enterprise_linux_openstack_platform 5
redhat enterprise_linux_server 6.0
redhat virtualization 3.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_eus 6.5
redhat enterprise_linux_server_tus 6.5
CVE-2014-0145 MEDIUM

Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.0.0
CVE-2014-0146 LOW

The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields.

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.0.0
CVE-2014-0147

Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.5 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 6.5
qemu qemu *
redhat enterprise_linux_openstack_platform 5
redhat enterprise_linux_server 6.0
fedoraproject fedora 20
redhat virtualization 3.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_eus 6.5
redhat enterprise_linux_server_tus 6.5
CVE-2014-0148

Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 6.5
qemu qemu *
redhat enterprise_linux_openstack_platform 5
redhat enterprise_linux_server 6.0
redhat virtualization 3.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_eus 6.5
redhat enterprise_linux_server_tus 6.5
CVE-2014-0150 MEDIUM

Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
redhat enterprise_linux 6.0
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.7.1
qemu qemu 1.5.2
qemu qemu 2.0.0
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2014-0182 HIGH

Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2014-0222 HIGH

Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
suse linux_enterprise_server 11.0
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2014-0223 MEDIUM

Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.5.3
suse linux_enterprise_server 11.0
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 0.10.4
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2014-2894 HIGH

Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
qemu qemu 0.2.0
qemu qemu 0.1.6
qemu qemu 0.11.1
qemu qemu 0.5.1
qemu qemu 1.6.1
qemu qemu 0.4.1
qemu qemu 0.4.3
qemu qemu 0.9.1-5
qemu qemu 0.11.0-rc2
qemu qemu 0.12.1
qemu qemu 1.6.0
qemu qemu 0.15.0
qemu qemu 1.0.1
qemu qemu 1.1.2
qemu qemu 1.5.3
qemu qemu 0.1.5
qemu qemu 0.14.0
qemu qemu 1.5.0
qemu qemu 0.13.0
qemu qemu 0.10.3
qemu qemu 0.12.5
qemu qemu 0.6.1
qemu qemu 0.8.2
qemu qemu 0.7.0
qemu qemu 0.1.2
qemu qemu 1.4.2
qemu qemu 1.6.2
qemu qemu 0.12.3
qemu qemu 1.2.2
qemu qemu 0.1.1
qemu qemu 0.8.0
qemu qemu 0.4.0
qemu qemu 0.10.6
qemu qemu 1.5.2
qemu qemu 1.1
qemu qemu 0.15.1
qemu qemu 0.4.2
qemu qemu 0.9.1
qemu qemu 0.10.1
qemu qemu 0.12.2
qemu qemu 1.4.1
qemu qemu 1.4.0
qemu qemu 0.14.1
qemu qemu 0.7.1
qemu qemu 0.10.5
qemu qemu 0.5.4
qemu qemu 0.5.5
qemu qemu 0.11.0-rc0
qemu qemu 0.11.0
qemu qemu 1.0
qemu qemu 1.1.1
qemu qemu 1.2.1
qemu qemu 0.10.4
qemu qemu 1.3.1
qemu qemu 0.11.0-rc1
qemu qemu 0.9.0
qemu qemu 0.12.4
qemu qemu 0.6.0
qemu qemu 1.3.0
qemu qemu 1.5.1
qemu qemu 0.1.4
qemu qemu 0.5.2
qemu qemu 0.15.2
qemu qemu 0.10.0
qemu qemu 0.5.0
qemu qemu 1.2.0
qemu qemu *
qemu qemu 0.1.0
qemu qemu 0.12.0
qemu qemu 0.7.2
qemu qemu 0.3.0
qemu qemu 0.1.3
qemu qemu 0.10.2
qemu qemu 0.5.3
qemu qemu 0.8.1
CVE-2014-3461 MEDIUM

hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 1.6.2
CVE-2014-3471 LOW

Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.1.2
CVE-2014-3615 LOW

The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 10.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.5
opensuse opensuse 13.1
redhat enterprise_linux_server_tus 7.3
redhat openstack 5.0
canonical ubuntu_linux 14.10
qemu qemu *
redhat enterprise_linux_server_aus 7.3
debian debian_linux 7.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 12.04
CVE-2014-3640 LOW

The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket.

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_desktop 7.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 14.10
qemu qemu 2.0.2
qemu qemu 2.1.1
canonical ubuntu_linux 10.04
qemu qemu 2.0.0
debian debian_linux 7.0
redhat enterprise_linux_hpc_node 7.0
qemu qemu 2.1.0
canonical ubuntu_linux 12.04
CVE-2014-3689 HIGH

The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.10
qemu qemu *
canonical ubuntu_linux 10.04
debian debian_linux 7.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
CVE-2014-5263 MEDIUM

vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 1.6.0
CVE-2014-5388 MEDIUM

Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-193,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.10
qemu qemu *
canonical ubuntu_linux 10.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
CVE-2014-7815 MEDIUM

The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.5
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
canonical ubuntu_linux 14.10
suse linux_enterprise_server 12
qemu qemu *
suse linux_enterprise_desktop 12
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_aus 7.3
canonical ubuntu_linux 10.04
debian debian_linux 7.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 12.04
CVE-2014-7840 HIGH

The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
qemu qemu *
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
CVE-2014-8106 MEDIUM

Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.1.1
qemu qemu 2.1.0
CVE-2014-9718 MEDIUM

The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
qemu qemu 1.5.0
qemu qemu 1.4.1
qemu qemu 1.5.1
qemu qemu 1.6.1
qemu qemu 1.4.2
qemu qemu 2.1.2
qemu qemu 1.6.2
debian debian_linux 8.0
qemu qemu 2.0.2
qemu qemu 2.1.1
qemu qemu 1.6.0
qemu qemu 1.7.1
qemu qemu 1.5.2
qemu qemu 2.0.0
qemu qemu 2.1.3
qemu qemu 1.0
qemu qemu 1.0.1
qemu qemu 2.1.0
qemu qemu 1.1
qemu qemu 1.5.3
CVE-2015-1779 HIGH

The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
fedoraproject fedora 22
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.3
canonical ubuntu_linux 15.04
qemu qemu 2.3.0
fedoraproject fedora 21
canonical ubuntu_linux 14.10
qemu qemu *
debian debian_linux 8.0
oracle linux 7
redhat enterprise_linux_eus 7.1
redhat enterprise_linux_server_aus 7.3
debian debian_linux 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 7.2
canonical ubuntu_linux 12.04
CVE-2015-3209 HIGH

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 6.0
fedoraproject fedora 20
arista eos 4.14
redhat enterprise_linux_desktop 6.0
suse linux_enterprise_debuginfo 11
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_tus 6.6
redhat enterprise_linux_server_aus 6.6
suse linux_enterprise_desktop 11
suse linux_enterprise_server 12
suse linux_enterprise_desktop 12
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_eus 6.6
suse linux_enterprise_server 10
redhat virtualization 3.0
fedoraproject fedora 22
suse linux_enterprise_software_development_kit 12
arista eos 4.15
juniper junos_space *
redhat openstack 5.0
canonical ubuntu_linux 15.04
fedoraproject fedora 21
canonical ubuntu_linux 14.10
qemu qemu *
redhat enterprise_linux_workstation 5.0
arista eos 4.12
debian debian_linux 8.0
arista eos 4.13
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_server 11
debian debian_linux 7.0
redhat enterprise_linux_server 5.0
canonical ubuntu_linux 12.04
CVE-2015-3214 MEDIUM

The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_power_big_endian_eus 7.1_ppc64
redhat enterprise_linux_for_power_big_endian_eus 7.6_ppc64
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
redhat enterprise_linux_server_update_services_for_sap_solutions 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_compute_node_eus 7.6
arista eos 4.15
redhat enterprise_linux_compute_node_eus 7.3
debian debian_linux 8.0
arista eos 4.13
redhat enterprise_linux_server_aus 7.3
debian debian_linux 7.0
redhat enterprise_linux_compute_node_eus 7.7
redhat enterprise_linux_for_power_big_endian 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_for_power_big_endian_eus 7.4_ppc64
arista eos 4.14
redhat enterprise_linux_server_update_services_for_sap_solutions 7.2
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_compute_node_eus 7.1
redhat enterprise_linux_for_scientific_computing 7.0
redhat openstack 6.0
lenovo emc_px12-450r_ivx *
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_for_power_big_endian_eus 7.3_ppc64
redhat enterprise_linux_for_power_big_endian_eus 7.7_ppc64
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_for_power_big_endian_eus 7.2_ppc64
redhat enterprise_linux_for_power_big_endian_eus 7.5_ppc64
redhat enterprise_linux_server_eus 7.7
redhat virtualization 3.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
linux linux_kernel *
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_eus 7.2
redhat openstack 5.0
redhat enterprise_linux_compute_node_eus 7.5
lenovo emc_px12-400r_ivx *
redhat enterprise_linux_compute_node_eus 7.2
redhat enterprise_linux_compute_node_eus 7.4
qemu qemu *
redhat enterprise_linux_server_eus 7.1
arista eos 4.12
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7
redhat enterprise_linux_server_from_rhui 7.0
CVE-2015-3456 HIGH

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat openstack 6.0
qemu qemu *
redhat enterprise_linux 5
xen xen 4.5.0
redhat enterprise_linux 7.0
redhat openstack 7.0
redhat openstack 5.0
redhat openstack 4.0
redhat enterprise_linux 6.0
redhat enterprise_virtualization 3.0
CVE-2015-4037 LOW

The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.

CVSS 2.0

Severity: LOW

Problem Type: CWE-17,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2015-4106 MEDIUM

QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
fedoraproject fedora 20
citrix xenserver 6.2.0
fedoraproject fedora 22
suse linux_enterprise_software_development_kit 12
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
citrix xenserver 6.0.2
suse linux_enterprise_desktop 11
fedoraproject fedora 21
canonical ubuntu_linux 14.10
citrix xenserver 6.1.0
suse linux_enterprise_server 12
qemu qemu *
suse linux_enterprise_desktop 12
debian debian_linux 8.0
suse linux_enterprise_software_development_kit 11
citrix xenserver 6.5
suse linux_enterprise_server 11
citrix xenserver 6.0
debian debian_linux 7.0
canonical ubuntu_linux 12.04
CVE-2015-5154 HIGH

Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.5.1
xen xen *
fedoraproject fedora 22
suse linux_enterprise_software_development_kit 12
suse linux_enterprise_debuginfo 11
fedoraproject fedora 23
suse linux_enterprise_desktop 11
fedoraproject fedora 21
suse suse_linux_enterprise_server 12
qemu qemu *
suse linux_enterprise_desktop 12
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_server 11
CVE-2015-5158 LOW

Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.4.0
CVE-2015-5225 HIGH

Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat openstack 6.0
fedoraproject fedora 21
qemu qemu *
fedoraproject fedora 22
redhat openstack 7.0
redhat openstack 5.0
fedoraproject fedora 23
CVE-2015-5239 MEDIUM

Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
arista eos 4.14
fedoraproject fedora 22
suse linux_enterprise_software_development_kit 12
arista eos 4.15
suse linux_enterprise_debuginfo 11
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
fedoraproject fedora 23
suse linux_enterprise_desktop 11
fedoraproject fedora 21
suse linux_enterprise_server 12
qemu qemu *
arista eos 4.12
suse linux_enterprise_desktop 12
arista eos 4.13
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_server 11
canonical ubuntu_linux 12.04
CVE-2015-5278 MEDIUM

The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
fedoraproject fedora 21
qemu qemu *
arista eos 4.12
arista eos 4.14
fedoraproject fedora 22
arista eos 4.13
arista eos 4.15
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 15.04
fedoraproject fedora 23
CVE-2015-5279 HIGH

Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2015-5745 MEDIUM

Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
fedoraproject fedora 21
qemu qemu *
arista eos 4.12
arista eos 4.14
fedoraproject fedora 22
arista eos 4.13
arista eos 4.15
fedoraproject fedora 23
CVE-2015-6815 LOW

The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.1 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
arista eos 4.14
canonical ubuntu_linux 14.04
novell suse_linux_enterprise_debuginfo 11.0
novell suse_linux_enterprise_server 12.0
redhat openstack 6.0
redhat enterprise_linux 7.0
novell suse_linux_enterprise_desktop 11.0
xen xen 4.5.1
fedoraproject fedora 22
arista eos 4.15
xen xen 4.4.3
novell suse_linux_enterprise_server 11.0
novell suse_linux_enterprise_software_development_kit 12.0
redhat enterprise_linux 5.0
redhat openstack 5.0
redhat enterprise_linux 6.0
canonical ubuntu_linux 15.04
fedoraproject fedora 23
fedoraproject fedora 21
novell suse_linux_enterprise_software_development_kit 11.0
qemu qemu *
arista eos 4.12
arista eos 4.13
novell suse_linux_enterprise_desktop 12.0
redhat openstack 7.0
canonical ubuntu_linux 12.04
CVE-2015-6855 MEDIUM

hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,

Products Affected

Vendor Product Version
fedoraproject fedora 22
arista eos -
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
fedoraproject fedora 23
fedoraproject fedora 21
suse linux_enterprise_server 12
qemu qemu *
suse linux_enterprise_desktop 12
debian debian_linux 8.0
debian debian_linux 7.0
canonical ubuntu_linux 12.04
CVE-2015-7295 MEDIUM

hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
fedoraproject fedora 21
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 22
debian debian_linux 7.0
CVE-2015-7504 MEDIUM

Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
xen xen *
debian debian_linux 8.0
qemu qemu 2.5.0
debian debian_linux 7.0
CVE-2015-7512 MEDIUM

Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux_server 6.0
redhat enterprise_linux_eus 6.7
oracle linux 6
redhat virtualization 3.0
redhat enterprise_linux_workstation 6.0
debian debian_linux 8.0
redhat enterprise_linux_desktop 6.0
qemu qemu 2.5.0
redhat openstack 5.0
debian debian_linux 7.0
CVE-2015-7549 LOW

The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2015-8345 LOW

The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.5.0
debian debian_linux 7.0
CVE-2015-8504 LOW

Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.5.0
debian debian_linux 7.0
CVE-2015-8556 HIGH

Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2015-8558 MEDIUM

The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 7.0
CVE-2015-8567 MEDIUM

Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 3.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
fedoraproject fedora 22
suse linux_enterprise_software_development_kit 12
suse linux_enterprise_debuginfo 11
canonical ubuntu_linux 14.04
fedoraproject fedora 23
suse linux_enterprise_desktop 11
opensuse leap 42.1
suse linux_enterprise_server 12
qemu qemu *
suse linux_enterprise_desktop 12
debian debian_linux 8.0
canonical ubuntu_linux 15.10
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_server 11
opensuse opensuse 13.2
canonical ubuntu_linux 12.04
CVE-2015-8568 MEDIUM

Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2015-8613 LOW

Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2015-8619 MEDIUM

The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2015-8666 LOW

Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H 1.5 5.8

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.5.0
CVE-2015-8701 LOW

QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-193,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2015-8743 LOW

QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 7.0
CVE-2015-8744 LOW

QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2015-8745 LOW

QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2015-8817 LOW

QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
qemu qemu 2.2.0
qemu qemu 1.6.1
qemu qemu 2.3.0
qemu qemu 2.3.1
qemu qemu 2.1.2
qemu qemu 1.6.2
qemu qemu 2.2.1
qemu qemu 2.0.2
qemu qemu 2.1.1
qemu qemu 1.6.0
qemu qemu 1.7.1
qemu qemu 2.0.0
qemu qemu 2.1.3
qemu qemu 2.1.0
CVE-2015-8818 LOW

The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-10028 LOW

The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-10029 LOW

The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-10155 MEDIUM

Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-1568 MEDIUM

Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat openstack 6.0
qemu qemu *
redhat virtualization 3.0
debian debian_linux 8.0
redhat openstack 7.0
redhat openstack 5.0
debian debian_linux 7.0
CVE-2016-1714 MEDIUM

The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
oracle linux 6
oracle linux 7
redhat openstack 5.0
CVE-2016-1922 LOW

QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 7.0
CVE-2016-1981 LOW

QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 7.0
CVE-2016-2197 LOW

QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-2198 LOW

QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu 2.6.0
qemu qemu *
debian debian_linux 8.0
CVE-2016-2391 LOW

The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H 1.3 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-2392 LOW

The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
canonical ubuntu_linux 15.10
qemu qemu 2.5.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-2538 LOW

Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.

CVSS 2.0

Severity: LOW

Problem Type: CWE-189,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-2841 LOW

The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-2857 LOW

The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H 2.0 5.8

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat openstack 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_aus 7.6
redhat virtualization 4.0
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.5
redhat openstack 8
redhat enterprise_linux_server_tus 7.3
redhat openstack 5.0
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 15.10
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 12.04
CVE-2016-2858 LOW

QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-331,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-3710 HIGH

The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_tus 7.2
hp helion_openstack 2.1.2
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat openstack 6.0
qemu qemu 2.6.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 6.0
oracle linux 5
redhat enterprise_linux_server_aus 7.6
citrix xenserver *
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
hp helion_openstack 2.0.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_desktop 7.0
oracle linux 6
redhat enterprise_linux_server_eus 7.7
redhat virtualization 3.0
redhat openstack 8
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_eus 7.2
redhat openstack 5.0
hp helion_openstack 2.1.4
oracle vm_server 3.3
oracle vm_server 3.2
qemu qemu *
oracle vm_server 3.4
debian debian_linux 8.0
canonical ubuntu_linux 15.10
oracle linux 7
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
hp helion_openstack 2.1.0
canonical ubuntu_linux 12.04
CVE-2016-3712 LOW

Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
qemu qemu 2.6.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_aus 7.6
citrix xenserver *
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_tus 7.3
oracle vm_server 3.3
qemu qemu *
oracle vm_server 3.4
debian debian_linux 8.0
canonical ubuntu_linux 15.10
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 12.04
CVE-2016-4001 MEDIUM

Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu 2.6.0
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 22
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
fedoraproject fedora 24
fedoraproject fedora 23
CVE-2016-4002 MEDIUM

Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 22
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
fedoraproject fedora 24
fedoraproject fedora 23
CVE-2016-4020 LOW

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat openstack 9
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat openstack 6.0
redhat enterprise_linux_server_aus 7.6
redhat virtualization 4.0
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_eus 7.5
redhat openstack 8
redhat openstack 10
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
canonical ubuntu_linux 15.10
redhat openstack 7.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 12.04
CVE-2016-4037 MEDIUM

The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
qemu qemu 2.6.0
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 22
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
fedoraproject fedora 24
fedoraproject fedora 23
CVE-2016-4439 MEDIUM

The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-4441 LOW

The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-4453 MEDIUM

The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-4454 LOW

The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H 0.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-4952 LOW

QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-4964 MEDIUM

The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-5105 LOW

The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-908,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-5106 LOW

The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-5107 LOW

The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-5126 MEDIUM

Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_tus 7.2
redhat openstack 9
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_aus 7.4
redhat openstack 6.0
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.5
redhat openstack 8
redhat enterprise_linux_server_tus 7.3
redhat openstack 5.0
qemu qemu *
debian debian_linux 8.0
oracle linux 7
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_eus 7.2
canonical ubuntu_linux 12.04
CVE-2016-5238 LOW

The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-5337 LOW

The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-5338 MEDIUM

The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-5403 MEDIUM

The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_tus 7.2
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_server_aus 7.5
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_aus 7.4
qemu qemu 2.7.0
redhat enterprise_linux_server_eus 7.5
redhat openstack 6.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 6.0
oracle linux 5
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_desktop 7.0
oracle linux 6
redhat enterprise_linux_server_eus 7.7
redhat virtualization 3.0
redhat openstack 8
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_eus 7.2
redhat openstack 5.0
qemu qemu *
oracle vm_server 3.4
debian debian_linux 8.0
oracle linux 7
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 12.04
CVE-2016-6351 HIGH

The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
CVE-2016-6490 LOW

The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.7.0
CVE-2016-6833 LOW

Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.7.0
CVE-2016-6834 LOW

The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.7.0
CVE-2016-6835 LOW

The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
redhat virtualization 4.0
CVE-2016-6836 LOW

The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-665,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-6888 LOW

Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
qemu qemu 2.7.0
CVE-2016-7116 LOW

Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.7.0
CVE-2016-7155 LOW

hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-7156 LOW

The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-704,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-7157 LOW

The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-7161 HIGH

Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.7.0
CVE-2016-7170 LOW

The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-129,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-7421 LOW

The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-834,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-7422 LOW

The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-120,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
opensuse leap 42.2
CVE-2016-7423 LOW

The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-7466 LOW

Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
opensuse leap 42.2
CVE-2016-7907 LOW

The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,CWE-399,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
CVE-2016-7908 LOW

The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-7909 MEDIUM

The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-7994 LOW

Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 42.2
CVE-2016-7995 LOW

Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 42.2
CVE-2016-8576 LOW

The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-770,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
opensuse leap 42.2
CVE-2016-8577 LOW

Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-8578 LOW

The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-8667 LOW

The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-8668 LOW

The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 42.2
CVE-2016-8669 LOW

The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
opensuse leap 42.2
CVE-2016-8909 LOW

The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
opensuse leap 42.2
CVE-2016-8910 LOW

The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
opensuse leap 42.2
CVE-2016-9101 LOW

Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-9102 LOW

Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-9103 LOW

The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-9104 LOW

Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-9105 LOW

Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-9106 LOW

Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
opensuse leap 42.2
CVE-2016-9381 MEDIUM

Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
qemu qemu *
citrix xenserver 6.2.0
citrix xenserver 6.5
citrix xenserver 7.0
qemu qemu 2.8.0
citrix xenserver 6.0.2
CVE-2016-9602 HIGH

Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-59,CWE-59,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2016-9603 HIGH

A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-119,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat openstack 6.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_desktop 7.0
citrix xenserver 6.2.0
redhat openstack 8
redhat openstack 5.0
redhat openstack 10
citrix xenserver 6.0.2
qemu qemu *
citrix xenserver 6.5
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
citrix xenserver 7.0
debian debian_linux 7.0
citrix xenserver 7.1
CVE-2016-9776 LOW

QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.8.0
CVE-2016-9845 LOW

QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.8.0
CVE-2016-9846 MEDIUM

QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.8.0
CVE-2016-9907 MEDIUM

Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
CVE-2016-9908 LOW

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-9911 MEDIUM

Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
CVE-2016-9912 MEDIUM

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2016-9913 MEDIUM

Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.8.0
CVE-2016-9914 MEDIUM

Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.8.0
CVE-2016-9915 MEDIUM

Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.8.0
CVE-2016-9916 MEDIUM

Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
qemu qemu 2.8.0
CVE-2016-9921 LOW

Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
qemu qemu 2.8.0
CVE-2016-9922 LOW

The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.8.0
CVE-2016-9923 LOW

Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-10664 MEDIUM

qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat openstack 6.0
redhat enterprise_linux_server_aus 7.6
redhat virtualization 4.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat virtualization 3.0
redhat enterprise_linux_eus 7.5
redhat openstack 8
debian debian_linux 9.0
redhat openstack 10
redhat enterprise_linux_server_tus 7.4
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat openstack 7.0
redhat enterprise_linux_server_aus 7.7
CVE-2017-10806 LOW

Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-11334 LOW

The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
CVE-2017-11434 LOW

The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu 2.10.0
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-12809 LOW

QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu 2.10.0
qemu qemu *
debian debian_linux 9.0
CVE-2017-13672 LOW

QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
CVE-2017-13673 MEDIUM

The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu 2.8.0
CVE-2017-13711 MEDIUM

Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
CVE-2017-14167 HIGH

Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-15038 LOW

Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-15118 HIGH

A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux 7.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
CVE-2017-15119 MEDIUM

The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
qemu qemu *
redhat virtualization 4.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
CVE-2017-15124 HIGH

VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,CWE-20,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-15268 MEDIUM

Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-15289 LOW

The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-16845 MEDIUM

hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2017-17381 LOW

The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 2.11.0
debian debian_linux 9.0
CVE-2017-18030 LOW

The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-18043 LOW

Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
CVE-2017-2615 HIGH

Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat openstack 6.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_workstation 7.0
xen xen *
redhat enterprise_linux_desktop 7.0
citrix xenserver 6.2.0
redhat openstack 8
redhat openstack 5.0
redhat openstack 10
citrix xenserver 6.0.2
qemu qemu *
citrix xenserver 6.5
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
citrix xenserver 7.0
debian debian_linux 7.0
citrix xenserver 7.1
xen xen 4.7.1
CVE-2017-2620 HIGH

Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat openstack 6.0
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_workstation 7.0
xen xen *
redhat enterprise_linux_desktop 7.0
citrix xenserver 6.2.0
redhat openstack 8
redhat openstack 5.0
redhat openstack 10
citrix xenserver 6.0.2
qemu qemu *
citrix xenserver 6.5
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
citrix xenserver 7.0
debian debian_linux 7.0
citrix xenserver 7.1
xen xen 4.7.1
CVE-2017-2630 MEDIUM

A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-121,CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-2633 MEDIUM

An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_workstation 7.0
qemu qemu *
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
CVE-2017-5525 MEDIUM

Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-5526 MEDIUM

Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-5552 MEDIUM

Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-5578 MEDIUM

Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-5579 MEDIUM

Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
CVE-2017-5667 LOW

The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-5856 MEDIUM

Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-5857 MEDIUM

Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-5898 LOW

Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
suse linux_enterprise_server 12
qemu qemu *
suse linux_enterprise_desktop 12
suse linux_enterprise_software_development_kit 12
suse linux_enterprise_server_for_sap 12
CVE-2017-5931 HIGH

Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-5973 LOW

The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
CVE-2017-5987 LOW

The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
CVE-2017-6058 MEDIUM

Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-6505 LOW

The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-7377 LOW

The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
CVE-2017-7471 HIGH

Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
CVE-2017-7493 MEDIUM

Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-7539 MEDIUM

An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-20,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
redhat virtualization 3.0
redhat virtualization 4.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
CVE-2017-7718 LOW

hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
CVE-2017-7980 MEDIUM

Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_eus 7.5
redhat openstack 6.0
redhat enterprise_linux_server_eus 7.3
canonical ubuntu_linux 17.04
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.10
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_desktop 7.0
redhat virtualization 3.0
redhat openstack 8
redhat enterprise_linux_server_tus 7.3
redhat openstack 5.0
redhat openstack 10
qemu qemu *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.3
redhat openstack 7.0
CVE-2017-8086 MEDIUM

Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
CVE-2017-8112 MEDIUM

hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
CVE-2017-8284 MEDIUM

The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-8309 HIGH

Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
CVE-2017-8379 MEDIUM

Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat openstack 6.0
redhat openstack 9
qemu qemu *
redhat openstack 11
debian debian_linux 8.0
redhat openstack 8
redhat openstack 7.0
redhat openstack 10
CVE-2017-8380 HIGH

Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
CVE-2017-9060 MEDIUM

Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-9310 LOW

QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.1 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-9330 LOW

QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.1 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-9373 LOW

Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu 2.9.0
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-9374 LOW

Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2017-9375 LOW

QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-9503 LOW

QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2017-9524 MEDIUM

The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
CVE-2018-10839 MEDIUM

Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-121,CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-11806 HIGH

m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat openstack 9
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_aus 7.6
redhat virtualization 4.0
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_eus 7.5
redhat openstack 8
debian debian_linux 9.0
redhat openstack 12
redhat openstack 10
redhat openstack 13
qemu qemu *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 18.04
CVE-2018-12617 MEDIUM

qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-15746 LOW

qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2018-16847 MEDIUM

An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-125,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
qemu qemu 3.1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-16867 MEDIUM

A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 29
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
qemu qemu 3.1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-16872 LOW

A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-367,CWE-367,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 29
debian debian_linux 9.0
opensuse leap 42.3
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 30
CVE-2018-17958 MEDIUM

Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
redhat virtualization 4.0
redhat virtualization_manager 4.3
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-17962 MEDIUM

Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-190,

Products Affected

Vendor Product Version
qemu qemu 2.12.0
suse linux_enterprise_server 15
redhat linux 6.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
qemu qemu 2.8.0
suse linux_enterprise_server 12
debian debian_linux 8.0
oracle linux 7
suse linux_enterprise_server 11
canonical ubuntu_linux 18.10
qemu qemu 2.1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-17963 HIGH

qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 14.04
qemu qemu 3.1.0
redhat openstack 10
redhat openstack 13
qemu qemu *
debian debian_linux 8.0
redhat openstack 14
redhat virtualization 4.0
redhat virtualization_manager 4.3
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-18438 LOW

Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
redhat openstack 13
redhat openstack 9
redhat openstack 8
redhat enterprise_linux 7.0
qemu qemu -
redhat enterprise_linux 6.0
redhat openstack 12
redhat openstack 10
CVE-2018-18849 LOW

In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
opensuse leap 15.0
fedoraproject fedora 29
qemu qemu 3.0.0
opensuse leap 42.3
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-18954 LOW

The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 42.3
canonical ubuntu_linux 18.10
canonical ubuntu_linux 18.04
CVE-2018-19364 LOW

hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 29
debian debian_linux 9.0
opensuse leap 42.3
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
qemu qemu 3.1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-19489 LOW

v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
fedoraproject fedora 29
debian debian_linux 9.0
opensuse leap 42.3
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
qemu qemu 3.1.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-19665 LOW

The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.1 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 42.3
qemu qemu 3.1.0
CVE-2018-20123 LOW

pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 30
CVE-2018-20124 LOW

hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-20125 MEDIUM

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-20126 LOW

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 15.0
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-20191 MEDIUM

hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 29
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 30
CVE-2018-20216 MEDIUM

QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-252,CWE-835,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2018-20815 HIGH

In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 3.1.0
CVE-2018-5683 LOW

The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_desktop 6.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
canonical ubuntu_linux 17.10
redhat enterprise_linux_server 7.0
qemu qemu *
redhat enterprise_linux_workstation 6.0
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
CVE-2018-7550 MEDIUM

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.7
debian debian_linux 9.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
canonical ubuntu_linux 17.10
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.5
qemu qemu *
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.6
debian debian_linux 7.0
redhat enterprise_linux_server_aus 7.7
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 18.04
CVE-2018-7858 LOW

Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.5
qemu qemu *
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_aus 7.6
opensuse leap 42.3
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 18.04
CVE-2019-12067 LOW

The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
debian debian_linux 11.0
redhat openstack_platform 14.0
debian debian_linux 9.0
redhat openstack_platform 10.0
qemu qemu -
debian debian_linux 10.0
fedoraproject fedora 30
CVE-2019-12068 LOW

In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L 2.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu 1:3.1+dfsg-8+deb10u2
qemu qemu 1:2.8+dfsg-6+deb9u8
qemu qemu 1:2.1+dfsg-12+deb8u6
qemu qemu 1:3.1+dfsg-8~deb10u1
qemu qemu 1:4.1-1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 19.10
opensuse leap 15.0
opensuse leap 15.1
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 19.04
CVE-2019-12155 MEDIUM

interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu 4.0.0
CVE-2019-12247 MEDIUM

QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu 3.0.0
CVE-2019-12928 HIGH

The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-668,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2019-12929 HIGH

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-668,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2019-13164 MEDIUM

qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
qemu qemu 3.1
debian debian_linux 9.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 19.10
opensuse leap 15.0
debian debian_linux 8.0
opensuse leap 15.1
qemu qemu 4.0.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
canonical ubuntu_linux 19.04
CVE-2019-15034 MEDIUM

hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.8 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H 1.0 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
qemu qemu 4.0.0
CVE-2019-15890 MEDIUM

libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu 4.1.0
libslirp_project libslirp 4.0.0
CVE-2019-20175 MEDIUM

An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-754,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2019-20382 LOW

QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,

Products Affected

Vendor Product Version
qemu qemu 4.1.0
canonical ubuntu_linux 20.04
opensuse leap 15.1
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 19.10
canonical ubuntu_linux 18.04
CVE-2019-20808 LOW

In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu 4.1.0
CVE-2019-3812 LOW

QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 29
opensuse leap 42.3
canonical ubuntu_linux 18.10
canonical ubuntu_linux 18.04
fedoraproject fedora 30
CVE-2019-5008 MEDIUM

hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu 3.1.50
CVE-2019-6501 LOW

In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
qemu qemu 3.1
fedoraproject fedora 30
CVE-2019-6778 MEDIUM

In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
opensuse leap 15.0
fedoraproject fedora 29
qemu qemu 3.0.0
opensuse leap 42.3
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
fedoraproject fedora 30
CVE-2019-8934 LOW

hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-668,

Products Affected

Vendor Product Version
qemu qemu *
opensuse leap 15.0
opensuse leap 42.3
CVE-2019-9824 LOW

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.

CVSS 2.0

Severity: LOW

Problem Type: CWE-908,

Products Affected

Vendor Product Version
qemu qemu 3.0.0
CVE-2020-10702 LOW

A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.

CVSS 2.0

Severity: LOW

Problem Type: CWE-325,NVD-CWE-Other,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-10717 LOW

A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host.

CVSS 2.0

Severity: LOW

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-10761 MEDIUM

An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
opensuse leap 15.2
CVE-2020-11102 MEDIUM

hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu 4.2.0
CVE-2020-11869 LOW

An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-11947 LOW

iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 2.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu 4.1.0
CVE-2020-12829 LOW

In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L 2.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
CVE-2020-13253 LOW

sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
CVE-2020-13361 LOW

In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
opensuse leap 15.2
CVE-2020-13362 LOW

In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 8.0
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
opensuse leap 15.2
CVE-2020-13659 LOW

address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu 4.2.0
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
opensuse leap 15.2
CVE-2020-13754 MEDIUM

hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
CVE-2020-13765 MEDIUM

rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu 4.1.0
debian debian_linux 8.0
canonical ubuntu_linux 20.04
debian debian_linux 9.0
qemu qemu 4.0.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-13791 LOW

hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-13800 MEDIUM

ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
qemu qemu 4.2.0
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
opensuse leap 15.2
CVE-2020-14364 MEDIUM

An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
redhat enterprise_linux 6.0
redhat openstack 10
opensuse leap 15.2
redhat openstack 13
redhat enterprise_linux 8.0
fedoraproject fedora 31
qemu qemu *
fedoraproject fedora 32
canonical ubuntu_linux 20.04
redhat enterprise_linux 7.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
CVE-2020-14394

An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 37
fedoraproject extra_packages_for_enterprise_linux 7.0
redhat enterprise_linux 9.0
qemu qemu 6.1.50
redhat enterprise_linux 7.0
redhat enterprise_linux 5.0
redhat openstack_platform 10.0
redhat enterprise_linux 6.0
redhat openstack_platform 13.0
fedoraproject fedora 33
CVE-2020-14415 LOW

oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
CVE-2020-15469 LOW

In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.3 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L 0.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-15859 LOW

QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu 4.2.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-15863 MEDIUM

hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L 1.1 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 5.1.0
canonical ubuntu_linux 20.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
CVE-2020-16092 LOW

In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L 2.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,

Products Affected

Vendor Product Version
qemu qemu *
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
opensuse leap 15.2
CVE-2020-1711 MEDIUM

An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L 1.8 3.7
secalert@redhat.com 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H 1.8 5.3

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
redhat openstack 13
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 8.0
redhat enterprise_linux 7.0
opensuse leap 15.1
debian debian_linux 9.0
redhat openstack 10
CVE-2020-17380 MEDIUM

A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 2.0 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
CVE-2020-24165

An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
qemu qemu 4.2.0
debian debian_linux 10.0
CVE-2020-24352 LOW

An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 5.0.0
CVE-2020-25084 LOW

QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,

Products Affected

Vendor Product Version
qemu qemu 5.0.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-25085 MEDIUM

QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.0 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L 0.8 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu 5.0.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-25624 MEDIUM

hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.0 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L 0.8 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu 5.0.0
debian debian_linux 10.0
CVE-2020-25625 MEDIUM

hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H 0.8 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu 5.0.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-25723 LOW

A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 10.0
CVE-2020-25741 LOW

fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu 5.0.0
CVE-2020-25742 LOW

pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-25743 LOW

hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 7.0
redhat openstack_platform 13.0
CVE-2020-27616 MEDIUM

ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-682,

Products Affected

Vendor Product Version
qemu qemu 4.2.1
CVE-2020-27617 MEDIUM

eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
qemu qemu 4.2.1
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-27661 LOW

A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-369,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-27821 LOW

A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 10.0
CVE-2020-28916 LOW

hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
qemu qemu 5.0.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-29443 LOW

ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.9 LOW CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L 0.8 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
qemu qemu 5.1.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2020-35503 LOW

A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 33
CVE-2020-35504 LOW

A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 10.0
fedoraproject fedora 33
CVE-2020-35505 LOW

A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 6.0.0
debian debian_linux 10.0
CVE-2020-35506 MEDIUM

A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-35517 MEDIUM

A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2020-7039 MEDIUM

tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 2.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
qemu qemu 4.2.0
debian debian_linux 8.0
opensuse leap 15.1
debian debian_linux 9.0
libslirp_project libslirp 4.1.0
CVE-2020-7211 MEDIUM

tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
qemu qemu 4.2.0
libslirp_project libslirp 4.1.0
CVE-2021-20181 MEDIUM

A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-367,CWE-362,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2021-20196 LOW

A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 9.0
debian debian_linux 10.0
qemu qemu 5.2.0
CVE-2021-20203 LOW

An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
fedoraproject fedora 33
CVE-2021-20221 LOW

An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2021-20255 LOW

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,CWE-674,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
CVE-2021-20257 LOW

An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,CWE-835,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat openstack_platform 10.0
redhat enterprise_linux 6.0
redhat openstack_platform 13.0
redhat codeready_linux_builder -
debian debian_linux 10.0
fedoraproject fedora 33
CVE-2021-20263 LOW

A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-281,CWE-281,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2021-20295 LOW

It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2021-3392 LOW

A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
fedoraproject fedora 33
CVE-2021-3409 MEDIUM

The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 1.5 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux 7.0
debian debian_linux 9.0
fedoraproject fedora 33
CVE-2021-3416 LOW

A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,CWE-835,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 7.0
debian debian_linux 9.0
redhat enterprise_linux 6.0
debian debian_linux 10.0
fedoraproject fedora 33
CVE-2021-3507 LOW

A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 1.8 4.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 10.0
CVE-2021-3527 LOW

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2021-3544 LOW

Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,CWE-401,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 11.0
CVE-2021-3545 LOW

An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-908,CWE-908,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 11.0
CVE-2021-3546 MEDIUM

An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 11.0
CVE-2021-3582 LOW

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 10.0
CVE-2021-3607 MEDIUM

An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 34
debian debian_linux 10.0
CVE-2021-3608 MEDIUM

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-824,CWE-824,

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 34
debian debian_linux 10.0
CVE-2021-3611 LOW

A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
CVE-2021-3638 LOW

An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 37
qemu qemu *
fedoraproject fedora 36
CVE-2021-3682 MEDIUM

A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-763,CWE-763,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 11.0
qemu qemu 6.1.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2021-3713 MEDIUM

An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 0.7 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 11.0
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2021-3735

A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

Products Affected

Vendor Product Version
debian debian_linux 11.0
qemu qemu 6.1.0
debian debian_linux 10.0
CVE-2021-3748 MEDIUM

A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
fedoraproject fedora 34
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 21.10
debian debian_linux 10.0
canonical ubuntu_linux 18.04
redhat enterprise_linux_advanced_virtualization_eus 8.4
CVE-2021-3750 MEDIUM

A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
CVE-2021-3929

A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
qemu qemu *
fedoraproject fedora 35
fedoraproject fedora 36
CVE-2021-3930 LOW

An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-193,CWE-193,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_power_little_endian 8.0
debian debian_linux 9.0
redhat openstack 10
redhat enterprise_linux_advanced_virtualization_eus 8.4
redhat codeready_linux_builder_for_ibm_z_systems 8.0
redhat openstack 13
redhat enterprise_linux 8.0
qemu qemu *
redhat codeready_linux_builder 8.0
redhat enterprise_linux_for_ibm_z_systems 8.0
debian debian_linux 10.0
redhat codeready_linux_builder_for_power_little_endian 8.0
CVE-2021-3947 LOW

A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 6.2.0
CVE-2021-4145 MEDIUM

A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu 6.1.0
CVE-2021-4158

A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux 9.0
CVE-2021-4206 MEDIUM

A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-120,CWE-131,CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 11.0
debian debian_linux 10.0
CVE-2021-4207 MEDIUM

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-120,CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
debian debian_linux 11.0
debian debian_linux 10.0
CVE-2022-0216

A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 37
qemu qemu *
CVE-2022-0358

A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
CVE-2022-1050 MEDIUM

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
qemu qemu *
CVE-2022-26353 MEDIUM

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,CWE-772,

Products Affected

Vendor Product Version
qemu qemu 6.2.0
debian debian_linux 11.0
CVE-2022-26354 LOW

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L 1.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-772,CWE-772,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 9.0
debian debian_linux 10.0
CVE-2022-2962

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
qemu qemu *
CVE-2022-3165

An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.

Products Affected

Vendor Product Version
fedoraproject fedora 37
qemu qemu *
fedoraproject fedora 36
CVE-2022-35414 MEDIUM

softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-908,

Products Affected

Vendor Product Version
qemu qemu *
debian debian_linux 10.0
CVE-2022-36648

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

Products Affected

Vendor Product Version
qemu qemu *
CVE-2022-3872

An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 7.1.0
CVE-2022-4144

An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 37
qemu qemu *
fedoraproject extra_packages_for_enterprise_linux 8.0
CVE-2022-4172

An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.

Products Affected

Vendor Product Version
fedoraproject fedora 37
qemu qemu 7.0.0
CVE-2023-0330

A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 7.2.0
qemu qemu 8.0.0
debian debian_linux 10.0
CVE-2023-0664

A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 37
qemu qemu *
redhat enterprise_linux 9.0
redhat enterprise_linux 7.0
CVE-2023-1386

A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 1.8 1.4

Products Affected

Vendor Product Version
fedoraproject fedora 38
qemu qemu *
CVE-2023-1544

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H 1.8 4.0

Products Affected

Vendor Product Version
fedoraproject fedora 37
qemu qemu *
CVE-2023-2680

This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

Products Affected

Vendor Product Version
redhat enterprise_linux 9.0
qemu qemu -
CVE-2023-2861

A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2
patrick@puiterwijk.org 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 0.8 5.2

Products Affected

Vendor Product Version
qemu qemu *
CVE-2023-3019

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 9.0
CVE-2023-3180

A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
fedoraproject fedora 38
qemu qemu *
qemu qemu 8.1.0
debian debian_linux 10.0
CVE-2023-3255

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 38
qemu qemu *
redhat enterprise_linux 9.0
CVE-2023-3301

A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.1 4.0
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.1 4.0

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 9.0
CVE-2023-3354

A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
fedoraproject fedora 38
qemu qemu *
redhat enterprise_linux 9.0
qemu qemu 8.1.0
redhat enterprise_linux 7.0
redhat openstack_platform 13.0
CVE-2023-40360

QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
qemu qemu *
CVE-2023-4135

A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

Products Affected

Vendor Product Version
fedoraproject fedora 38
qemu qemu *
qemu qemu 8.1.0
CVE-2023-42467

QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
qemu qemu *
CVE-2023-5088

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 9.0
qemu qemu -
CVE-2023-6683

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 9.0
qemu qemu -
CVE-2023-6693

A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 1.8 3.4
secalert@redhat.com 4.9 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 1.4 3.4

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
qemu qemu *
redhat enterprise_linux 9.0
fedoraproject fedora 39
qemu qemu -
CVE-2024-24474

QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.

Products Affected

Vendor Product Version
qemu qemu *
CVE-2024-26327

An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations.

Products Affected

Vendor Product Version
qemu qemu *
CVE-2024-26328

An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled.

Products Affected

Vendor Product Version
qemu qemu *
CVE-2024-3447

A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
qemu qemu *
qemu qemu 9.0.0
netapp hci_compute_node -
CVE-2024-3567

A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
qemu qemu *
redhat enterprise_linux 9.0
qemu qemu 9.0.0
CVE-2024-6505

A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
qemu qemu -
CVE-2024-6519

A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
qemu qemu -
CVE-2024-7730

A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.4 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.4 5.9

Products Affected

Vendor Product Version
qemu qemu *
CVE-2024-8354

A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6
secalert@redhat.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux 7.0
qemu qemu -
redhat enterprise_linux 6.0
CVE-2025-54566

hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.2 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 1.6 2.5

Products Affected

Vendor Product Version
qemu qemu *
CVE-2025-54567

hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.2 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 1.6 2.5

Products Affected

Vendor Product Version
qemu qemu *