bhyve
by FreeBSD
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17160 | Cri | 0.65 | 10.0 | 0.03 | Dec 4, 2018 | In FreeBSD before 11.2-STABLE(r341486) and 11.2-RELEASE-p6, insufficient bounds checking in one of the device models provided by bhyve can permit a guest operating system to overwrite memory in the bhyve host possibly permitting arbitrary code execution. A guest OS using a… | ||
| CVE-2019-5604 | Cri | 0.63 | 9.6 | 0.03 | Jul 26, 2019 | In FreeBSD 12.0-STABLE before r350246, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350247, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, the emulated XHCI device included with the bhyve hypervisor did not properly validate data… | ||
| CVE-2024-8178 | Hig | 0.57 | 8.8 | 0.01 | Sep 5, 2024 | The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve… | ||
| CVE-2024-43110 | Hig | 0.57 | 8.8 | 0.00 | Sep 5, 2024 | The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically… | ||
| CVE-2022-23087 | Hig | 0.57 | 8.8 | 0.00 | Feb 15, 2024 | The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an… | ||
| CVE-2023-3494 | Hig | 0.57 | 8.8 | 0.00 | Aug 1, 2023 | The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer… | ||
| CVE-2024-41928 | Hig | 0.55 | 8.4 | 0.00 | Sep 5, 2024 | Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available… | ||
| CVE-2024-41721 | Hig | 0.53 | 8.1 | 0.01 | Sep 20, 2024 | An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution. | ||
| CVE-2024-32668 | Hig | 0.53 | 8.2 | 0.00 | Sep 5, 2024 | An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve… | ||
| CVE-2020-24718 | Hig | 0.53 | 8.2 | 0.01 | Sep 25, 2020 | bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges… | ||
| CVE-2021-29631 | Hig | 0.51 | 7.8 | 0.00 | Aug 30, 2021 | In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O… | ||
| CVE-2020-10565 | Hig | 0.51 | 7.8 | 0.00 | Mar 14, 2020 | grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the… | ||
| CVE-2016-1889 | Hig | 0.51 | 7.8 | 0.00 | Feb 15, 2017 | Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor. | ||
| CVE-2024-51564 | Hig | 0.49 | 7.5 | 0.00 | Nov 12, 2024 | A guest can trigger an infinite loop in the hda audio driver. | ||
| CVE-2019-5609 | Hig | 0.49 | 7.5 | 0.01 | Aug 30, 2019 | In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the… | ||
| CVE-2024-51566 | Med | 0.42 | 6.5 | 0.00 | Nov 12, 2024 | The NVMe driver queue processing is vulernable to guest-induced infinite loops. | ||
| CVE-2024-51565 | Med | 0.42 | 6.5 | 0.00 | Nov 12, 2024 | The hda driver is vulnerable to a buffer over-read from a guest-controlled value. | ||
| CVE-2024-51563 | Med | 0.42 | 6.5 | 0.00 | Nov 12, 2024 | The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition. | ||
| CVE-2024-51562 | Med | 0.42 | 6.5 | 0.00 | Nov 12, 2024 | The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value. |
- risk 0.65cvss 10.0epss 0.03
In FreeBSD before 11.2-STABLE(r341486) and 11.2-RELEASE-p6, insufficient bounds checking in one of the device models provided by bhyve can permit a guest operating system to overwrite memory in the bhyve host possibly permitting arbitrary code execution. A guest OS using a…
- risk 0.63cvss 9.6epss 0.03
In FreeBSD 12.0-STABLE before r350246, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350247, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, the emulated XHCI device included with the bhyve hypervisor did not properly validate data…
- risk 0.57cvss 8.8epss 0.01
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve…
- risk 0.57cvss 8.8epss 0.00
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically…
- risk 0.57cvss 8.8epss 0.00
The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an…
- risk 0.57cvss 8.8epss 0.00
The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer…
- risk 0.55cvss 8.4epss 0.00
Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available…
- risk 0.53cvss 8.1epss 0.01
An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.
- risk 0.53cvss 8.2epss 0.00
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve…
- risk 0.53cvss 8.2epss 0.01
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges…
- risk 0.51cvss 7.8epss 0.00
In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O…
- risk 0.51cvss 7.8epss 0.00
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the…
- risk 0.51cvss 7.8epss 0.00
Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor.
- risk 0.49cvss 7.5epss 0.00
A guest can trigger an infinite loop in the hda audio driver.
- risk 0.49cvss 7.5epss 0.01
In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the…
- risk 0.42cvss 6.5epss 0.00
The NVMe driver queue processing is vulernable to guest-induced infinite loops.
- risk 0.42cvss 6.5epss 0.00
The hda driver is vulnerable to a buffer over-read from a guest-controlled value.
- risk 0.42cvss 6.5epss 0.00
The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.
- risk 0.42cvss 6.5epss 0.00
The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.