Qemu
by QEMU
Source repositories
CVEs (438)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-15034 | 0.00 | — | 0.00 | Mar 10, 2020 | hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. | |||
| CVE-2019-20382 | 0.00 | — | 0.01 | Mar 5, 2020 | QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. | |||
| CVE-2020-1711 | 0.00 | — | 0.04 | Feb 11, 2020 | An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote… | |||
| CVE-2013-4535 | 0.00 | — | 0.01 | Feb 11, 2020 | The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. | |||
| CVE-2014-0148 | 0.00 | — | 0.00 | Feb 11, 2020 | Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like… | |||
| CVE-2014-0147 | 0.00 | — | 0.00 | Feb 11, 2020 | Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount()… | |||
| CVE-2014-0144 | 0.00 | — | 0.01 | Feb 11, 2020 | QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host… | |||
| CVE-2015-6815 | 0.00 | — | 0.01 | Jan 31, 2020 | The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. | |||
| CVE-2015-5239 | 0.00 | — | 0.04 | Jan 23, 2020 | Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. | |||
| CVE-2015-5278 | 0.00 | — | 0.02 | Jan 23, 2020 | The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets. | |||
| CVE-2015-5745 | 0.00 | — | 0.03 | Jan 23, 2020 | Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message. | |||
| CVE-2013-4532 | 0.00 | — | 0.00 | Jan 2, 2020 | Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | |||
| CVE-2019-20175 | 0.00 | — | 0.03 | Dec 31, 2019 | An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a… | |||
| CVE-2013-2016 | 0.00 | — | 0.01 | Dec 30, 2019 | A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the… | |||
| CVE-2019-12068 | 0.00 | — | 0.01 | Sep 24, 2019 | In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to… | |||
| CVE-2019-13164 | 0.00 | — | 0.01 | Jul 3, 2019 | qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. | |||
| CVE-2019-12929 | 0.00 | — | 0.05 | Jun 24, 2019 | The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a… | |||
| CVE-2019-9824 | 0.00 | — | 0.01 | Jun 3, 2019 | tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. | |||
| CVE-2018-20815 | 0.00 | — | 0.04 | May 31, 2019 | In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. | |||
| CVE-2019-12155 | 0.00 | — | 0.06 | May 24, 2019 | interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. |
- CVE-2019-15034Mar 10, 2020risk 0.00cvss —epss 0.00
hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.
- CVE-2019-20382Mar 5, 2020risk 0.00cvss —epss 0.01
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
- CVE-2020-1711Feb 11, 2020risk 0.00cvss —epss 0.04
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote…
- CVE-2013-4535Feb 11, 2020risk 0.00cvss —epss 0.01
The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
- CVE-2014-0148Feb 11, 2020risk 0.00cvss —epss 0.00
Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like…
- CVE-2014-0147Feb 11, 2020risk 0.00cvss —epss 0.00
Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount()…
- CVE-2014-0144Feb 11, 2020risk 0.00cvss —epss 0.01
QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host…
- CVE-2015-6815Jan 31, 2020risk 0.00cvss —epss 0.01
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.
- CVE-2015-5239Jan 23, 2020risk 0.00cvss —epss 0.04
Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.
- CVE-2015-5278Jan 23, 2020risk 0.00cvss —epss 0.02
The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
- CVE-2015-5745Jan 23, 2020risk 0.00cvss —epss 0.03
Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
- CVE-2013-4532Jan 2, 2020risk 0.00cvss —epss 0.00
Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
- CVE-2019-20175Dec 31, 2019risk 0.00cvss —epss 0.03
An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a…
- CVE-2013-2016Dec 30, 2019risk 0.00cvss —epss 0.01
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the…
- CVE-2019-12068Sep 24, 2019risk 0.00cvss —epss 0.01
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to…
- CVE-2019-13164Jul 3, 2019risk 0.00cvss —epss 0.01
qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
- CVE-2019-12929Jun 24, 2019risk 0.00cvss —epss 0.05
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a…
- CVE-2019-9824Jun 3, 2019risk 0.00cvss —epss 0.01
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
- CVE-2018-20815May 31, 2019risk 0.00cvss —epss 0.04
In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.
- CVE-2019-12155May 24, 2019risk 0.00cvss —epss 0.06
interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.
Page 17 of 22