Qemu
by QEMU
Source repositories
CVEs (438)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-12247 | 0.00 | — | 0.03 | May 22, 2019 | QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable | |||
| CVE-2019-5008 | 0.00 | — | 0.03 | Apr 19, 2019 | hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. | |||
| CVE-2018-18849 | 0.00 | — | 0.01 | Mar 17, 2019 | In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. | |||
| CVE-2019-8934 | 0.00 | — | 0.01 | Mar 17, 2019 | hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. | |||
| CVE-2019-6778 | 0.00 | — | 0.01 | Mar 17, 2019 | In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. | |||
| CVE-2019-6501 | 0.00 | — | 0.01 | Mar 17, 2019 | In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations. | |||
| CVE-2019-3812 | 0.00 | — | 0.00 | Feb 19, 2019 | QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the… | |||
| CVE-2018-20191 | 0.00 | — | 0.04 | Dec 20, 2018 | hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). | |||
| CVE-2018-20124 | 0.00 | — | 0.00 | Dec 20, 2018 | hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. | |||
| CVE-2018-20126 | 0.00 | — | 0.00 | Dec 20, 2018 | hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. | |||
| CVE-2018-20125 | 0.00 | — | 0.04 | Dec 20, 2018 | hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. | |||
| CVE-2018-20216 | 0.00 | — | 0.04 | Dec 20, 2018 | QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). | |||
| CVE-2018-20123 | 0.00 | — | 0.00 | Dec 17, 2018 | pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error. | |||
| CVE-2018-16872 | 0.00 | — | 0.01 | Dec 13, 2018 | A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in… | |||
| CVE-2018-19489 | 0.00 | — | 0.00 | Dec 13, 2018 | v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming. | |||
| CVE-2018-19364 | 0.00 | — | 0.01 | Dec 13, 2018 | hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. | |||
| CVE-2018-16867 | 0.00 | — | 0.00 | Dec 12, 2018 | A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write… | |||
| CVE-2018-19665 | 0.00 | — | 0.01 | Dec 6, 2018 | The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption. | |||
| CVE-2018-18954 | 0.00 | — | 0.01 | Nov 15, 2018 | The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. | |||
| CVE-2018-16847 | 0.00 | — | 0.01 | Nov 2, 2018 | An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with… |
- CVE-2019-12247May 22, 2019risk 0.00cvss —epss 0.03
QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable
- CVE-2019-5008Apr 19, 2019risk 0.00cvss —epss 0.03
hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.
- CVE-2018-18849Mar 17, 2019risk 0.00cvss —epss 0.01
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.
- CVE-2019-8934Mar 17, 2019risk 0.00cvss —epss 0.01
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
- CVE-2019-6778Mar 17, 2019risk 0.00cvss —epss 0.01
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.
- CVE-2019-6501Mar 17, 2019risk 0.00cvss —epss 0.01
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
- CVE-2019-3812Feb 19, 2019risk 0.00cvss —epss 0.00
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the…
- CVE-2018-20191Dec 20, 2018risk 0.00cvss —epss 0.04
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
- CVE-2018-20124Dec 20, 2018risk 0.00cvss —epss 0.00
hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.
- CVE-2018-20126Dec 20, 2018risk 0.00cvss —epss 0.00
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.
- CVE-2018-20125Dec 20, 2018risk 0.00cvss —epss 0.04
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.
- CVE-2018-20216Dec 20, 2018risk 0.00cvss —epss 0.04
QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).
- CVE-2018-20123Dec 17, 2018risk 0.00cvss —epss 0.00
pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
- CVE-2018-16872Dec 13, 2018risk 0.00cvss —epss 0.01
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in…
- CVE-2018-19489Dec 13, 2018risk 0.00cvss —epss 0.00
v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.
- CVE-2018-19364Dec 13, 2018risk 0.00cvss —epss 0.01
hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.
- CVE-2018-16867Dec 12, 2018risk 0.00cvss —epss 0.00
A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write…
- CVE-2018-19665Dec 6, 2018risk 0.00cvss —epss 0.01
The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.
- CVE-2018-18954Nov 15, 2018risk 0.00cvss —epss 0.01
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.
- CVE-2018-16847Nov 2, 2018risk 0.00cvss —epss 0.01
An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with…
Page 18 of 22