Vendor CVEs
QEMU
All CVEs
438 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-8556 | Cri | 0.69 | 10.0 | 0.13 | Mar 24, 2017 | Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1. | ||
| CVE-2017-16845 | Cri | 0.65 | 10.0 | 0.03 | Nov 17, 2017 | hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. | ||
| CVE-2018-17963 | Cri | 0.64 | 9.8 | 0.05 | Oct 9, 2018 | qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. | ||
| CVE-2017-8380 | Cri | 0.64 | 9.8 | 0.04 | Aug 28, 2017 | Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors. | ||
| CVE-2016-7161 | Cri | 0.64 | 9.8 | 0.06 | Oct 5, 2016 | Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. | ||
| CVE-2016-4002 | Cri | 0.64 | 9.8 | 0.06 | Apr 26, 2016 | Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger… | ||
| CVE-2015-7512 | Cri | 0.59 | 9.0 | 0.08 | Jan 8, 2016 | Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. | ||
| CVE-2017-15118 | Hig | 0.58 | 8.3 | 0.12 | Jul 27, 2018 | A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If… | ||
| CVE-2009-3616 | Cri | 0.58 | 9.9 | 0.04 | Oct 23, 2009 | Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message… | ||
| CVE-2018-7550 | Hig | 0.57 | 8.8 | 0.01 | Mar 1, 2018 | The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. | ||
| CVE-2015-7504 | Hig | 0.57 | 8.8 | 0.01 | Oct 16, 2017 | Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. | ||
| CVE-2017-14167 | Hig | 0.57 | 8.8 | 0.01 | Sep 8, 2017 | Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write. | ||
| CVE-2017-5931 | Hig | 0.57 | 8.8 | 0.01 | Mar 27, 2017 | Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based… | ||
| CVE-2016-3710 | Hig | 0.57 | 8.8 | 0.01 | May 11, 2016 | The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. | ||
| CVE-2016-1568 | Hig | 0.57 | 8.8 | 0.01 | Apr 12, 2016 | Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command. | ||
| CVE-2016-4001 | Hig | 0.56 | 8.6 | 0.05 | May 23, 2016 | Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. | ||
| CVE-2015-1779 | Hig | 0.56 | 8.6 | 0.07 | Jan 12, 2016 | The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. | ||
| CVE-2016-2857 | Hig | 0.55 | 8.4 | 0.01 | Apr 12, 2016 | The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. | ||
| CVE-2024-3446 | Hig | 0.53 | 8.2 | 0.00 | Apr 9, 2024 | A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU… | ||
| CVE-2018-11806 | Hig | 0.53 | 8.2 | 0.01 | Jun 13, 2018 | m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. | ||
| CVE-2016-1714 | Hig | 0.53 | 8.1 | 0.06 | Apr 7, 2016 | The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access… | ||
| CVE-2024-4467 | Hig | 0.51 | 7.8 | 0.00 | Jul 2, 2024 | A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial… | ||
| CVE-2014-0145 | Hig | 0.51 | 7.8 | 0.01 | Aug 10, 2017 | Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2)… | ||
| CVE-2017-7980 | Hig | 0.51 | 7.8 | 0.01 | Jul 25, 2017 | Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. | ||
| CVE-2017-7493 | Hig | 0.51 | 7.8 | 0.00 | May 17, 2017 | Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to… | ||
| CVE-2015-8666 | Hig | 0.51 | 7.9 | 0.00 | Apr 11, 2017 | Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator. | ||
| CVE-2016-5338 | Hig | 0.51 | 7.8 | 0.01 | Jun 14, 2016 | The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. | ||
| CVE-2016-5126 | Hig | 0.51 | 7.8 | 0.01 | Jun 1, 2016 | Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. | ||
| CVE-2015-8567 | Hig | 0.50 | 7.7 | 0.06 | Apr 13, 2017 | Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption). | ||
| CVE-2024-7409 | Hig | 0.49 | 7.5 | 0.01 | Aug 5, 2024 | A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. | ||
| CVE-2018-17962 | Hig | 0.49 | 7.5 | 0.04 | Oct 9, 2018 | Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. | ||
| CVE-2018-17958 | Hig | 0.49 | 7.5 | 0.06 | Oct 9, 2018 | Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. | ||
| CVE-2017-15124 | Hig | 0.49 | 7.5 | 0.03 | Jan 9, 2018 | VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing… | ||
| CVE-2017-15268 | Hig | 0.49 | 7.5 | 0.04 | Oct 12, 2017 | Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. | ||
| CVE-2017-13711 | Hig | 0.49 | 7.5 | 0.04 | Sep 1, 2017 | Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. | ||
| CVE-2017-10664 | Hig | 0.49 | 7.5 | 0.04 | Aug 2, 2017 | qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. | ||
| CVE-2017-9524 | Hig | 0.49 | 7.5 | 0.04 | Jul 6, 2017 | The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before… | ||
| CVE-2017-8309 | Hig | 0.49 | 7.5 | 0.05 | May 23, 2017 | Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture. | ||
| CVE-2015-8619 | Hig | 0.49 | 7.5 | 0.04 | Apr 13, 2017 | The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). | ||
| CVE-2017-6058 | Hig | 0.49 | 7.5 | 0.04 | Mar 20, 2017 | Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN… | ||
| CVE-2016-9381 | Hig | 0.49 | 7.5 | 0.00 | Jan 23, 2017 | Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability. | ||
| CVE-2015-6855 | Hig | 0.49 | 7.5 | 0.04 | Nov 6, 2015 | hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty… | ||
| CVE-2014-0143 | Hig | 0.46 | 7.0 | 0.00 | Aug 10, 2017 | Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in… | ||
| CVE-2017-8284 | Hig | 0.46 | 7.0 | 0.00 | Apr 26, 2017 | The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid… | ||
| CVE-2015-8743 | Hig | 0.46 | 7.1 | 0.00 | Dec 29, 2016 | QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes. | ||
| CVE-2016-2538 | Hig | 0.46 | 7.1 | 0.00 | Jun 16, 2016 | Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that… | ||
| CVE-2016-6351 | Med | 0.44 | 6.7 | 0.00 | Sep 7, 2016 | The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU… | ||
| CVE-2016-4439 | Med | 0.44 | 6.7 | 0.00 | May 20, 2016 | The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially… | ||
| CVE-2016-9602 | Hig | 0.43 | 7.6 | 0.04 | Apr 26, 2018 | Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. | ||
| CVE-2026-0665 | Med | 0.42 | 6.5 | 0.00 | Feb 18, 2026 | An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption. |
- risk 0.69cvss 10.0epss 0.13
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
- risk 0.65cvss 10.0epss 0.03
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
- risk 0.64cvss 9.8epss 0.05
qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
- risk 0.64cvss 9.8epss 0.04
Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.
- risk 0.64cvss 9.8epss 0.06
Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.
- risk 0.64cvss 9.8epss 0.06
Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger…
- risk 0.59cvss 9.0epss 0.08
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.
- risk 0.58cvss 8.3epss 0.12
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If…
- risk 0.58cvss 9.9epss 0.04
Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message…
- risk 0.57cvss 8.8epss 0.01
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.
- risk 0.57cvss 8.8epss 0.01
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.
- risk 0.57cvss 8.8epss 0.01
Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.
- risk 0.57cvss 8.8epss 0.01
Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based…
- risk 0.57cvss 8.8epss 0.01
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
- risk 0.57cvss 8.8epss 0.01
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
- risk 0.56cvss 8.6epss 0.05
Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
- risk 0.56cvss 8.6epss 0.07
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
- risk 0.55cvss 8.4epss 0.01
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
- risk 0.53cvss 8.2epss 0.00
A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU…
- risk 0.53cvss 8.2epss 0.01
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
- risk 0.53cvss 8.1epss 0.06
The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access…
- risk 0.51cvss 7.8epss 0.00
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial…
- risk 0.51cvss 7.8epss 0.01
Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2)…
- risk 0.51cvss 7.8epss 0.01
Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.
- risk 0.51cvss 7.8epss 0.00
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to…
- risk 0.51cvss 7.9epss 0.00
Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.
- risk 0.51cvss 7.8epss 0.01
The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.
- risk 0.51cvss 7.8epss 0.01
Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.
- risk 0.50cvss 7.7epss 0.06
Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).
- risk 0.49cvss 7.5epss 0.01
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
- risk 0.49cvss 7.5epss 0.04
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.
- risk 0.49cvss 7.5epss 0.06
Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.
- risk 0.49cvss 7.5epss 0.03
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing…
- risk 0.49cvss 7.5epss 0.04
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.
- risk 0.49cvss 7.5epss 0.04
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.
- risk 0.49cvss 7.5epss 0.04
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.
- risk 0.49cvss 7.5epss 0.04
The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before…
- risk 0.49cvss 7.5epss 0.05
Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
- risk 0.49cvss 7.5epss 0.04
The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).
- risk 0.49cvss 7.5epss 0.04
Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN…
- risk 0.49cvss 7.5epss 0.00
Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.
- risk 0.49cvss 7.5epss 0.04
hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty…
- risk 0.46cvss 7.0epss 0.00
Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in…
- risk 0.46cvss 7.0epss 0.00
The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid…
- risk 0.46cvss 7.1epss 0.00
QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.
- risk 0.46cvss 7.1epss 0.00
Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that…
- risk 0.44cvss 6.7epss 0.00
The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU…
- risk 0.44cvss 6.7epss 0.00
The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially…
- risk 0.43cvss 7.6epss 0.04
Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
- risk 0.42cvss 6.5epss 0.00
An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.
Page 1 of 9