VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 21, 2012· Updated Apr 29, 2026

CVE-2011-1751

CVE-2011-1751

Description

The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

75
  • QEMU/Qemu75 versions
    cpe:2.3:a:qemu:qemu:0.1.0:*:*:*:*:*:*:*+ 74 more
    • cpe:2.3:a:qemu:qemu:0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.4:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.5:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.10.6:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0-rc0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0:rc0:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0-rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0-rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.4:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.12.5:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.13.0:rc0:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.13.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.14.0:rc0:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.14.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.14.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.14.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.15.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.15.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:0.9.1-5:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.1:rc2:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.1:rc3:*:*:*:*:*:*
    • cpe:2.3:a:qemu:qemu:1.1:rc4:*:*:*:*:*:*
    • (no CPE)

Patches

Vulnerability mechanics

Root cause

"Missing input validation in pciej_write allows unplugging non-hotpluggable PCI devices, leading to use-after-free."

Attack vector

A privileged guest user writes a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, triggering `pciej_write` [ref_id=2]. The function does not validate whether the targeted device is hotpluggable [CWE-20]; it will unplug the PIIX4 ISA bridge even though that device is not designed to be removed [ref_id=2]. Unplugging the ISA bridge frees its memory while active qemu timers still reference that memory, causing a use-after-free that crashes the guest and may allow arbitrary code execution on the host [ref_id=2].

Affected code

The vulnerable function is `pciej_write` in `hw/acpi_piix4.c` [ref_id=2]. The code iterates over devices on the PCI bus and calls `qdev_free` on any device matching the requested slot number, without first checking whether that device is marked as non-hotpluggable [ref_id=2].

What the fix does

The patch adds a check for `info->no_hotplug` before calling `qdev_free` [ref_id=2]. It retrieves the `PCIDeviceInfo` for each candidate device via `container_of(qdev->info, PCIDeviceInfo, qdev)` and skips the unplug if `info->no_hotplug` is set [ref_id=2]. This prevents the guest from forcibly removing non-hotpluggable devices such as the ISA bridge, eliminating the use-after-free condition [ref_id=2].

Preconditions

  • authGuest must have root privileges to write to the 0xae08 I/O port
  • configQEMU must be using the PIIX4 chipset emulation (default for many x86 guests)
  • configThe exploit requires '-net user' networking (or no -net options, which defaults to '-net nic -net user')

Reproduction

The public exploit (virtunoid) is available at [ref_id=1]. It must be run as root inside the guest. The provided version targets Ubuntu's qemu-kvm_0.14.0+noroms-0ubuntu4_amd64; for other builds the addresses in virtunoid-config.h must be adjusted [ref_id=1]. The exploit is built into an initrd and launched with `kvm -kernel bzImage -initrd initrd.gz` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.