CVE-2013-4344
Description
A buffer overflow in QEMU's SCSI REPORT LUNS command, triggered when a SCSI controller has over 256 devices, allows local privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in QEMU's SCSI REPORT LUNS command, triggered when a SCSI controller has over 256 devices, allows local privilege escalation.
Vulnerability
A buffer overflow exists in QEMU's SCSI implementation, specifically in the handling of the REPORT LUNS command. The vulnerability is present when a SCSI controller has more than 256 attached devices. The overflow occurs when a REPORT LUNS command with a short transfer buffer (less than 2056 bytes) is sent to the controller. This affects QEMU versions up to and including 1.6.1 [3]. Xen systems are vulnerable only if they use the QEMU SCSI code, which is not the default [3]. The issue is assigned CVE-2013-4344 [3].
Exploitation
Exploitation requires local access to a QEMU guest that has a SCSI controller with more than 256 attached devices (e.g., disks). The attacker must be able to send a crafted SCSI REPORT LUNS command with a small transfer buffer. No authentication or special privileges beyond guest user access are needed [1][3]. The sequence involves configuring a SCSI controller with >256 devices, then issuing the REPORT LUNS command with a buffer size smaller than 2056 bytes to trigger the overflow [1][3].
Impact
A successful overflow can allow a local guest user to escalate privileges to that of the QEMU process, potentially leading to host compromise. The impact is privilege elevation, as the guest user can execute arbitrary code within the QEMU context [1][3][4]. This could result in full control over the QEMU instance and potentially the host system [1].
Mitigation
Red Hat released RHSA-2013-1553 [1] and RHSA-2013-1754 [2] for Red Hat Enterprise Linux, and Ubuntu released USN-2092-1 [4] for Ubuntu. Patched QEMU versions include qemu-kvm-0.12.1.2-2.417.el5_10.2 and later for RHEL 5, and qemu-kvm-1.4.0-21.el7_0.3 for RHEL 7 [1][2]. Users should update to the fixed QEMU package provided by their distribution. For Xen, the vulnerability can be avoided by not using QEMU SCSI controllers, but the recommended action is to apply the patch [3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- lists.opensuse.org/opensuse-security-announce/2014-10/msg00002.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2014-10/msg00003.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2013-1553.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2013-1754.htmlnvdThird Party Advisory
- www.openwall.com/lists/oss-security/2013/10/02/2nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/62773nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-2092-1nvdThird Party Advisory
- article.gmane.org/gmane.comp.emulators.qemu/237191nvdBroken Link
- osvdb.org/98028nvdBroken Link
News mentions
0No linked articles in our index yet.