rpm package
almalinux/qemu-img
pkg:rpm/almalinux/qemu-img
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11234 | Hig | 7.5 | < 18:10.0.0-14.el10_1.5.alma.1 | 18:10.0.0-14.el10_1.5.alma.1 | Oct 3, 2025 | A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client w | |
| CVE-2025-49133 | — | < 15:6.2.0-53.module_el8.10.0+4031+06966654.4 | 15:6.2.0-53.module_el8.10.0+4031+06966654.4 | Jun 10, 2025 | Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulner | ||
| CVE-2024-11699 | — | < 18:10.1.0-16.el10_2.alma.1 | 18:10.1.0-16.el10_2.alma.1 | Nov 26, 2024 | Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < | ||
| CVE-2024-11697 | — | < 18:10.1.0-16.el10_2.alma.1 | 18:10.1.0-16.el10_2.alma.1 | Nov 26, 2024 | When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thu | ||
| CVE-2024-11696 | — | < 18:10.1.0-16.el10_2.alma.1 | 18:10.1.0-16.el10_2.alma.1 | Nov 26, 2024 | The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation proces | ||
| CVE-2024-11695 | — | < 18:10.1.0-16.el10_2.alma.1 | 18:10.1.0-16.el10_2.alma.1 | Nov 26, 2024 | A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | ||
| CVE-2024-11694 | — | < 18:10.1.0-16.el10_2.alma.1 | 18:10.1.0-16.el10_2.alma.1 | Nov 26, 2024 | Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. T | ||
| CVE-2024-11692 | — | < 18:10.1.0-16.el10_2.alma.1 | 18:10.1.0-16.el10_2.alma.1 | Nov 26, 2024 | An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | ||
| CVE-2024-7409 | Hig | 7.5 | < 15:6.2.0-53.module_el8.10.0+3897+eb84924d | 15:6.2.0-53.module_el8.10.0+3897+eb84924d | Aug 5, 2024 | A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. | |
| CVE-2024-7383 | Hig | 7.4 | < 15:6.2.0-53.module_el8.10.0+3897+eb84924d | 15:6.2.0-53.module_el8.10.0+3897+eb84924d | Aug 5, 2024 | A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. | |
| CVE-2024-4467 | Hig | 7.8 | < 17:8.2.0-11.el9_4.4 | 17:8.2.0-11.el9_4.4 | Jul 2, 2024 | A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of | |
| CVE-2024-4418 | Med | 6.2 | < 15:6.2.0-49.module_el8.10.0+3839+c94ce74b | 15:6.2.0-49.module_el8.10.0+3839+c94ce74b | May 8, 2024 | A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while | |
| CVE-2024-3446 | Hig | 8.2 | < 15:6.2.0-53.module_el8.10.0+3897+eb84924d | 15:6.2.0-53.module_el8.10.0+3897+eb84924d | Apr 9, 2024 | A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU proce | |
| CVE-2024-26327 | — | < 17:9.0.0-10.el9_5 | 17:9.0.0-10.el9_5 | Feb 19, 2024 | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations. | ||
| CVE-2023-6683 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Jan 12, 2024 | A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. | ||
| CVE-2023-5088 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Nov 3, 2023 | A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of | ||
| CVE-2023-2680 | — | < 17:8.0.0-16.el9_3.alma.1 | 17:8.0.0-16.el9_3.alma.1 | Sep 13, 2023 | This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750. | ||
| CVE-2023-3255 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Sep 13, 2023 | A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is | ||
| CVE-2023-3301 | — | < 15:6.2.0-40.module_el8.9.0+3681+41cbbcc0.1.alma.1 | 15:6.2.0-40.module_el8.9.0+3681+41cbbcc0.1.alma.1 | Sep 13, 2023 | A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. | ||
| CVE-2023-42467 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Sep 11, 2023 | QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. |
- affected < 18:10.0.0-14.el10_1.5.alma.1fixed 18:10.0.0-14.el10_1.5.alma.1
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client w
- CVE-2025-49133Jun 10, 2025affected < 15:6.2.0-53.module_el8.10.0+4031+06966654.4fixed 15:6.2.0-53.module_el8.10.0+4031+06966654.4
Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulner
- CVE-2024-11699Nov 26, 2024affected < 18:10.1.0-16.el10_2.alma.1fixed 18:10.1.0-16.el10_2.alma.1
Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox <
- CVE-2024-11697Nov 26, 2024affected < 18:10.1.0-16.el10_2.alma.1fixed 18:10.1.0-16.el10_2.alma.1
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thu
- CVE-2024-11696Nov 26, 2024affected < 18:10.1.0-16.el10_2.alma.1fixed 18:10.1.0-16.el10_2.alma.1
The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation proces
- CVE-2024-11695Nov 26, 2024affected < 18:10.1.0-16.el10_2.alma.1fixed 18:10.1.0-16.el10_2.alma.1
A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
- CVE-2024-11694Nov 26, 2024affected < 18:10.1.0-16.el10_2.alma.1fixed 18:10.1.0-16.el10_2.alma.1
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. T
- CVE-2024-11692Nov 26, 2024affected < 18:10.1.0-16.el10_2.alma.1fixed 18:10.1.0-16.el10_2.alma.1
An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
- affected < 15:6.2.0-53.module_el8.10.0+3897+eb84924dfixed 15:6.2.0-53.module_el8.10.0+3897+eb84924d
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
- affected < 15:6.2.0-53.module_el8.10.0+3897+eb84924dfixed 15:6.2.0-53.module_el8.10.0+3897+eb84924d
A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.
- affected < 17:8.2.0-11.el9_4.4fixed 17:8.2.0-11.el9_4.4
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of
- affected < 15:6.2.0-49.module_el8.10.0+3839+c94ce74bfixed 15:6.2.0-49.module_el8.10.0+3839+c94ce74b
A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while
- affected < 15:6.2.0-53.module_el8.10.0+3897+eb84924dfixed 15:6.2.0-53.module_el8.10.0+3897+eb84924d
A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU proce
- CVE-2024-26327Feb 19, 2024affected < 17:9.0.0-10.el9_5fixed 17:9.0.0-10.el9_5
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations.
- CVE-2023-6683Jan 12, 2024affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference.
- CVE-2023-5088Nov 3, 2023affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of
- CVE-2023-2680Sep 13, 2023affected < 17:8.0.0-16.el9_3.alma.1fixed 17:8.0.0-16.el9_3.alma.1
This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.
- CVE-2023-3255Sep 13, 2023affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is
- CVE-2023-3301Sep 13, 2023affected < 15:6.2.0-40.module_el8.9.0+3681+41cbbcc0.1.alma.1fixed 15:6.2.0-40.module_el8.9.0+3681+41cbbcc0.1.alma.1
A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
- CVE-2023-42467Sep 11, 2023affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
Page 1 of 4