VYPR

bhyve

by FreeBSD

CVEs (19)

  • CVE-2018-17160CriDec 4, 2018
    risk 0.65cvss 10.0epss 0.03

    In FreeBSD before 11.2-STABLE(r341486) and 11.2-RELEASE-p6, insufficient bounds checking in one of the device models provided by bhyve can permit a guest operating system to overwrite memory in the bhyve host possibly permitting arbitrary code execution. A guest OS using a…

  • CVE-2019-5604CriJul 26, 2019
    risk 0.63cvss 9.6epss 0.03

    In FreeBSD 12.0-STABLE before r350246, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350247, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, the emulated XHCI device included with the bhyve hypervisor did not properly validate data…

  • CVE-2024-8178HigSep 5, 2024
    risk 0.57cvss 8.8epss 0.01

    The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve…

  • CVE-2024-43110HigSep 5, 2024
    risk 0.57cvss 8.8epss 0.00

    The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically…

  • CVE-2022-23087HigFeb 15, 2024
    risk 0.57cvss 8.8epss 0.00

    The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an…

  • CVE-2023-3494HigAug 1, 2023
    risk 0.57cvss 8.8epss 0.00

    The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer…

  • CVE-2024-41928HigSep 5, 2024
    risk 0.55cvss 8.4epss 0.00

    Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available…

  • CVE-2024-41721HigSep 20, 2024
    risk 0.53cvss 8.1epss 0.01

    An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.

  • CVE-2024-32668HigSep 5, 2024
    risk 0.53cvss 8.2epss 0.00

    An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve…

  • CVE-2020-24718HigSep 25, 2020
    risk 0.53cvss 8.2epss 0.01

    bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges…

  • CVE-2021-29631HigAug 30, 2021
    risk 0.51cvss 7.8epss 0.00

    In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O…

  • CVE-2020-10565HigMar 14, 2020
    risk 0.51cvss 7.8epss 0.00

    grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the…

  • CVE-2016-1889HigFeb 15, 2017
    risk 0.51cvss 7.8epss 0.00

    Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor.

  • CVE-2024-51564HigNov 12, 2024
    risk 0.49cvss 7.5epss 0.00

    A guest can trigger an infinite loop in the hda audio driver.

  • CVE-2019-5609HigAug 30, 2019
    risk 0.49cvss 7.5epss 0.01

    In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the…

  • CVE-2024-51566MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The NVMe driver queue processing is vulernable to guest-induced infinite loops.

  • CVE-2024-51565MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The hda driver is vulnerable to a buffer over-read from a guest-controlled value.

  • CVE-2024-51563MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.

  • CVE-2024-51562MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.