VYPR

Vendor CVEs

QEMU

All CVEs

438 total · sorted by risk
  • CVE-2015-8556CriMar 24, 2017
    risk 0.69cvss 10.0epss 0.13

    Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.

  • CVE-2017-16845CriNov 17, 2017
    risk 0.65cvss 10.0epss 0.03

    hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.

  • CVE-2018-17963CriOct 9, 2018
    risk 0.64cvss 9.8epss 0.05

    qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.

  • CVE-2017-8380CriAug 28, 2017
    risk 0.64cvss 9.8epss 0.04

    Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.

  • CVE-2016-7161CriOct 5, 2016
    risk 0.64cvss 9.8epss 0.06

    Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.

  • CVE-2016-4002CriApr 26, 2016
    risk 0.64cvss 9.8epss 0.06

    Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger…

  • CVE-2015-7512CriJan 8, 2016
    risk 0.59cvss 9.0epss 0.08

    Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.

  • CVE-2017-15118HigJul 27, 2018
    risk 0.58cvss 8.3epss 0.12

    A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If…

  • CVE-2009-3616CriOct 23, 2009
    risk 0.58cvss 9.9epss 0.04

    Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message…

  • CVE-2018-7550HigMar 1, 2018
    risk 0.57cvss 8.8epss 0.01

    The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.

  • CVE-2015-7504HigOct 16, 2017
    risk 0.57cvss 8.8epss 0.01

    Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.

  • CVE-2017-14167HigSep 8, 2017
    risk 0.57cvss 8.8epss 0.01

    Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.

  • CVE-2017-5931HigMar 27, 2017
    risk 0.57cvss 8.8epss 0.01

    Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based…

  • CVE-2016-3710HigMay 11, 2016
    risk 0.57cvss 8.8epss 0.01

    The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.

  • CVE-2016-1568HigApr 12, 2016
    risk 0.57cvss 8.8epss 0.01

    Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

  • CVE-2016-4001HigMay 23, 2016
    risk 0.56cvss 8.6epss 0.05

    Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.

  • CVE-2015-1779HigJan 12, 2016
    risk 0.56cvss 8.6epss 0.07

    The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.

  • CVE-2016-2857HigApr 12, 2016
    risk 0.55cvss 8.4epss 0.01

    The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.

  • CVE-2024-3446HigApr 9, 2024
    risk 0.53cvss 8.2epss 0.00

    A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU…

  • CVE-2018-11806HigJun 13, 2018
    risk 0.53cvss 8.2epss 0.01

    m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.

  • CVE-2016-1714HigApr 7, 2016
    risk 0.53cvss 8.1epss 0.06

    The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access…

  • CVE-2024-4467HigJul 2, 2024
    risk 0.51cvss 7.8epss 0.00

    A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial…

  • CVE-2014-0145HigAug 10, 2017
    risk 0.51cvss 7.8epss 0.01

    Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2)…

  • CVE-2017-7980HigJul 25, 2017
    risk 0.51cvss 7.8epss 0.01

    Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.

  • CVE-2017-7493HigMay 17, 2017
    risk 0.51cvss 7.8epss 0.00

    Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to…

  • CVE-2015-8666HigApr 11, 2017
    risk 0.51cvss 7.9epss 0.00

    Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.

  • CVE-2016-5338HigJun 14, 2016
    risk 0.51cvss 7.8epss 0.01

    The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.

  • CVE-2016-5126HigJun 1, 2016
    risk 0.51cvss 7.8epss 0.01

    Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.

  • CVE-2015-8567HigApr 13, 2017
    risk 0.50cvss 7.7epss 0.06

    Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).

  • CVE-2024-7409HigAug 5, 2024
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.

  • CVE-2018-17962HigOct 9, 2018
    risk 0.49cvss 7.5epss 0.04

    Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.

  • CVE-2018-17958HigOct 9, 2018
    risk 0.49cvss 7.5epss 0.06

    Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.

  • CVE-2017-15124HigJan 9, 2018
    risk 0.49cvss 7.5epss 0.03

    VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing…

  • CVE-2017-15268HigOct 12, 2017
    risk 0.49cvss 7.5epss 0.04

    Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.

  • CVE-2017-13711HigSep 1, 2017
    risk 0.49cvss 7.5epss 0.04

    Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.

  • CVE-2017-10664HigAug 2, 2017
    risk 0.49cvss 7.5epss 0.04

    qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.

  • CVE-2017-9524HigJul 6, 2017
    risk 0.49cvss 7.5epss 0.04

    The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before…

  • CVE-2017-8309HigMay 23, 2017
    risk 0.49cvss 7.5epss 0.05

    Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.

  • CVE-2015-8619HigApr 13, 2017
    risk 0.49cvss 7.5epss 0.04

    The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).

  • CVE-2017-6058HigMar 20, 2017
    risk 0.49cvss 7.5epss 0.04

    Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN…

  • CVE-2016-9381HigJan 23, 2017
    risk 0.49cvss 7.5epss 0.00

    Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.

  • CVE-2015-6855HigNov 6, 2015
    risk 0.49cvss 7.5epss 0.04

    hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty…

  • CVE-2014-0143HigAug 10, 2017
    risk 0.46cvss 7.0epss 0.00

    Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in…

  • CVE-2017-8284HigApr 26, 2017
    risk 0.46cvss 7.0epss 0.00

    The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid…

  • CVE-2015-8743HigDec 29, 2016
    risk 0.46cvss 7.1epss 0.00

    QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.

  • CVE-2016-2538HigJun 16, 2016
    risk 0.46cvss 7.1epss 0.00

    Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that…

  • CVE-2016-6351MedSep 7, 2016
    risk 0.44cvss 6.7epss 0.00

    The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU…

  • CVE-2016-4439MedMay 20, 2016
    risk 0.44cvss 6.7epss 0.00

    The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially…

  • CVE-2016-9602HigApr 26, 2018
    risk 0.43cvss 7.6epss 0.04

    Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

  • CVE-2026-0665MedFeb 18, 2026
    risk 0.42cvss 6.5epss 0.00

    An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

Page 1 of 9