rpm package
almalinux/qemu-kvm-device-display-virtio-gpu-pci
pkg:rpm/almalinux/qemu-kvm-device-display-virtio-gpu-pci
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11234 | Hig | 7.5 | < 18:10.0.0-14.el10_1.5.alma.1 | 18:10.0.0-14.el10_1.5.alma.1 | Oct 3, 2025 | A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client w | |
| CVE-2024-7409 | Hig | 7.5 | < 17:9.0.0-10.el9_5 | 17:9.0.0-10.el9_5 | Aug 5, 2024 | A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. | |
| CVE-2024-4467 | Hig | 7.8 | < 17:8.2.0-11.el9_4.4 | 17:8.2.0-11.el9_4.4 | Jul 2, 2024 | A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of | |
| CVE-2024-3446 | Hig | 8.2 | < 17:9.0.0-10.el9_5 | 17:9.0.0-10.el9_5 | Apr 9, 2024 | A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU proce | |
| CVE-2024-26327 | — | < 17:9.0.0-10.el9_5 | 17:9.0.0-10.el9_5 | Feb 19, 2024 | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations. | ||
| CVE-2023-6683 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Jan 12, 2024 | A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. | ||
| CVE-2023-5088 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Nov 3, 2023 | A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of | ||
| CVE-2023-2680 | — | < 17:8.0.0-16.el9_3.alma.1 | 17:8.0.0-16.el9_3.alma.1 | Sep 13, 2023 | This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750. | ||
| CVE-2023-3255 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Sep 13, 2023 | A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is | ||
| CVE-2023-42467 | — | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Sep 11, 2023 | QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. | ||
| CVE-2023-3019 | Med | 6.0 | < 17:8.2.0-11.el9_4 | 17:8.2.0-11.el9_4 | Jul 24, 2023 | A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. | |
| CVE-2023-3354 | — | < 17:7.2.0-14.el9_2.5.alma.1 | 17:7.2.0-14.el9_2.5.alma.1 | Jul 11, 2023 | A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake ph | ||
| CVE-2022-4172 | — | < 17:7.2.0-14.el9_2 | 17:7.2.0-14.el9_2 | Nov 29, 2022 | An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory devic | ||
| CVE-2022-3165 | — | < 17:7.2.0-14.el9_2 | 17:7.2.0-14.el9_2 | Oct 17, 2022 | An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. | ||
| CVE-2021-4158 | — | < 17:7.0.0-13.el9 | 17:7.0.0-13.el9 | Aug 24, 2022 | A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. | ||
| CVE-2021-3611 | — | < 17:7.0.0-13.el9 | 17:7.0.0-13.el9 | May 11, 2022 | A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability | ||
| CVE-2021-3750 | — | < 17:7.0.0-13.el9 | 17:7.0.0-13.el9 | May 2, 2022 | A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions | ||
| CVE-2022-26354 | — | < 17:6.2.0-11.el9_0.3 | 17:6.2.0-11.el9_0.3 | Mar 16, 2022 | A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0. | ||
| CVE-2022-26353 | — | < 17:6.2.0-11.el9_0.3 | 17:6.2.0-11.el9_0.3 | Mar 16, 2022 | A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. | ||
| CVE-2021-3507 | — | < 17:7.0.0-13.el9 | 17:7.0.0-13.el9 | May 6, 2021 | A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this f |
- affected < 18:10.0.0-14.el10_1.5.alma.1fixed 18:10.0.0-14.el10_1.5.alma.1
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client w
- affected < 17:9.0.0-10.el9_5fixed 17:9.0.0-10.el9_5
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
- affected < 17:8.2.0-11.el9_4.4fixed 17:8.2.0-11.el9_4.4
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of
- affected < 17:9.0.0-10.el9_5fixed 17:9.0.0-10.el9_5
A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU proce
- CVE-2024-26327Feb 19, 2024affected < 17:9.0.0-10.el9_5fixed 17:9.0.0-10.el9_5
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations.
- CVE-2023-6683Jan 12, 2024affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference.
- CVE-2023-5088Nov 3, 2023affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of
- CVE-2023-2680Sep 13, 2023affected < 17:8.0.0-16.el9_3.alma.1fixed 17:8.0.0-16.el9_3.alma.1
This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.
- CVE-2023-3255Sep 13, 2023affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is
- CVE-2023-42467Sep 11, 2023affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
- affected < 17:8.2.0-11.el9_4fixed 17:8.2.0-11.el9_4
A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
- CVE-2023-3354Jul 11, 2023affected < 17:7.2.0-14.el9_2.5.alma.1fixed 17:7.2.0-14.el9_2.5.alma.1
A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake ph
- CVE-2022-4172Nov 29, 2022affected < 17:7.2.0-14.el9_2fixed 17:7.2.0-14.el9_2
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory devic
- CVE-2022-3165Oct 17, 2022affected < 17:7.2.0-14.el9_2fixed 17:7.2.0-14.el9_2
An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
- CVE-2021-4158Aug 24, 2022affected < 17:7.0.0-13.el9fixed 17:7.0.0-13.el9
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
- CVE-2021-3611May 11, 2022affected < 17:7.0.0-13.el9fixed 17:7.0.0-13.el9
A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability
- CVE-2021-3750May 2, 2022affected < 17:7.0.0-13.el9fixed 17:7.0.0-13.el9
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions
- CVE-2022-26354Mar 16, 2022affected < 17:6.2.0-11.el9_0.3fixed 17:6.2.0-11.el9_0.3
A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.
- CVE-2022-26353Mar 16, 2022affected < 17:6.2.0-11.el9_0.3fixed 17:6.2.0-11.el9_0.3
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
- CVE-2021-3507May 6, 2021affected < 17:7.0.0-13.el9fixed 17:7.0.0-13.el9
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this f