Vendor CVEs
QEMU
All CVEs
438 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-12829 | 0.00 | — | 0.00 | Aug 31, 2020 | In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU… | |||
| CVE-2020-14415 | 0.00 | — | 0.00 | Aug 27, 2020 | oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. | |||
| CVE-2020-16092 | 0.00 | — | 0.00 | Aug 11, 2020 | In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition… | |||
| CVE-2020-15863 | 0.00 | — | 0.00 | Jul 28, 2020 | hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host,… | |||
| CVE-2020-15859 | 0.00 | — | 0.00 | Jul 21, 2020 | QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. | |||
| CVE-2020-10756 | 0.00 | — | 0.01 | Jul 9, 2020 | An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents… | |||
| CVE-2020-15469 | 0.00 | — | 0.00 | Jul 2, 2020 | In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. | |||
| CVE-2020-10761 | 0.00 | — | 0.02 | Jun 9, 2020 | An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use… | |||
| CVE-2020-10702 | 0.00 | — | 0.00 | Jun 4, 2020 | A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same… | |||
| CVE-2020-13765 | 0.00 | — | 0.02 | Jun 4, 2020 | rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. | |||
| CVE-2020-13791 | 0.00 | — | 0.00 | Jun 4, 2020 | hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. | |||
| CVE-2020-13800 | 0.00 | — | 0.00 | Jun 4, 2020 | ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call. | |||
| CVE-2020-13754 | 0.00 | — | 0.00 | Jun 2, 2020 | hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. | |||
| CVE-2020-13659 | 0.00 | — | 0.00 | Jun 2, 2020 | address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. | |||
| CVE-2020-13362 | 0.00 | — | 0.00 | May 28, 2020 | In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. | |||
| CVE-2020-13361 | 0.00 | — | 0.00 | May 28, 2020 | In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. | |||
| CVE-2020-13253 | 0.00 | — | 0.00 | May 27, 2020 | sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. | |||
| CVE-2020-10717 | 0.00 | — | 0.00 | May 4, 2020 | A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors… | |||
| CVE-2020-11869 | 0.00 | — | 0.00 | Apr 27, 2020 | An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this… | |||
| CVE-2020-11102 | 0.00 | — | 0.02 | Apr 6, 2020 | hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length. | |||
| CVE-2019-15034 | 0.00 | — | 0.00 | Mar 10, 2020 | hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. | |||
| CVE-2019-20382 | 0.00 | — | 0.01 | Mar 5, 2020 | QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. | |||
| CVE-2020-1711 | 0.00 | — | 0.04 | Feb 11, 2020 | An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote… | |||
| CVE-2013-4535 | 0.00 | — | 0.01 | Feb 11, 2020 | The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. | |||
| CVE-2014-0148 | 0.00 | — | 0.00 | Feb 11, 2020 | Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like… | |||
| CVE-2014-0147 | 0.00 | — | 0.00 | Feb 11, 2020 | Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount()… | |||
| CVE-2014-0144 | 0.00 | — | 0.01 | Feb 11, 2020 | QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host… | |||
| CVE-2015-6815 | 0.00 | — | 0.01 | Jan 31, 2020 | The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. | |||
| CVE-2015-5239 | 0.00 | — | 0.04 | Jan 23, 2020 | Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. | |||
| CVE-2015-5278 | 0.00 | — | 0.02 | Jan 23, 2020 | The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets. | |||
| CVE-2015-5745 | 0.00 | — | 0.03 | Jan 23, 2020 | Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message. | |||
| CVE-2013-4532 | 0.00 | — | 0.00 | Jan 2, 2020 | Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | |||
| CVE-2019-20175 | 0.00 | — | 0.03 | Dec 31, 2019 | An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a… | |||
| CVE-2013-2016 | 0.00 | — | 0.01 | Dec 30, 2019 | A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the… | |||
| CVE-2019-12068 | 0.00 | — | 0.01 | Sep 24, 2019 | In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to… | |||
| CVE-2019-13164 | 0.00 | — | 0.01 | Jul 3, 2019 | qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. | |||
| CVE-2019-12929 | 0.00 | — | 0.05 | Jun 24, 2019 | The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a… | |||
| CVE-2019-9824 | 0.00 | — | 0.01 | Jun 3, 2019 | tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. | |||
| CVE-2018-20815 | 0.00 | — | 0.04 | May 31, 2019 | In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. | |||
| CVE-2019-12155 | 0.00 | — | 0.06 | May 24, 2019 | interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. | |||
| CVE-2019-12247 | 0.00 | — | 0.03 | May 22, 2019 | QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable | |||
| CVE-2019-5008 | 0.00 | — | 0.03 | Apr 19, 2019 | hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. | |||
| CVE-2018-18849 | 0.00 | — | 0.01 | Mar 17, 2019 | In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. | |||
| CVE-2019-8934 | 0.00 | — | 0.01 | Mar 17, 2019 | hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. | |||
| CVE-2019-6778 | 0.00 | — | 0.01 | Mar 17, 2019 | In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. | |||
| CVE-2019-6501 | 0.00 | — | 0.01 | Mar 17, 2019 | In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations. | |||
| CVE-2019-3812 | 0.00 | — | 0.00 | Feb 19, 2019 | QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the… | |||
| CVE-2018-20191 | 0.00 | — | 0.04 | Dec 20, 2018 | hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). | |||
| CVE-2018-20124 | 0.00 | — | 0.00 | Dec 20, 2018 | hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. | |||
| CVE-2018-20216 | 0.00 | — | 0.04 | Dec 20, 2018 | QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). |
- CVE-2020-12829Aug 31, 2020risk 0.00cvss —epss 0.00
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU…
- CVE-2020-14415Aug 27, 2020risk 0.00cvss —epss 0.00
oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.
- CVE-2020-16092Aug 11, 2020risk 0.00cvss —epss 0.00
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition…
- CVE-2020-15863Jul 28, 2020risk 0.00cvss —epss 0.00
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host,…
- CVE-2020-15859Jul 21, 2020risk 0.00cvss —epss 0.00
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
- CVE-2020-10756Jul 9, 2020risk 0.00cvss —epss 0.01
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents…
- CVE-2020-15469Jul 2, 2020risk 0.00cvss —epss 0.00
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
- CVE-2020-10761Jun 9, 2020risk 0.00cvss —epss 0.02
An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use…
- CVE-2020-10702Jun 4, 2020risk 0.00cvss —epss 0.00
A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same…
- CVE-2020-13765Jun 4, 2020risk 0.00cvss —epss 0.02
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
- CVE-2020-13791Jun 4, 2020risk 0.00cvss —epss 0.00
hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.
- CVE-2020-13800Jun 4, 2020risk 0.00cvss —epss 0.00
ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.
- CVE-2020-13754Jun 2, 2020risk 0.00cvss —epss 0.00
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.
- CVE-2020-13659Jun 2, 2020risk 0.00cvss —epss 0.00
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
- CVE-2020-13362May 28, 2020risk 0.00cvss —epss 0.00
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
- CVE-2020-13361May 28, 2020risk 0.00cvss —epss 0.00
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
- CVE-2020-13253May 27, 2020risk 0.00cvss —epss 0.00
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
- CVE-2020-10717May 4, 2020risk 0.00cvss —epss 0.00
A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors…
- CVE-2020-11869Apr 27, 2020risk 0.00cvss —epss 0.00
An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this…
- CVE-2020-11102Apr 6, 2020risk 0.00cvss —epss 0.02
hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.
- CVE-2019-15034Mar 10, 2020risk 0.00cvss —epss 0.00
hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.
- CVE-2019-20382Mar 5, 2020risk 0.00cvss —epss 0.01
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
- CVE-2020-1711Feb 11, 2020risk 0.00cvss —epss 0.04
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote…
- CVE-2013-4535Feb 11, 2020risk 0.00cvss —epss 0.01
The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
- CVE-2014-0148Feb 11, 2020risk 0.00cvss —epss 0.00
Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like…
- CVE-2014-0147Feb 11, 2020risk 0.00cvss —epss 0.00
Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount()…
- CVE-2014-0144Feb 11, 2020risk 0.00cvss —epss 0.01
QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host…
- CVE-2015-6815Jan 31, 2020risk 0.00cvss —epss 0.01
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.
- CVE-2015-5239Jan 23, 2020risk 0.00cvss —epss 0.04
Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.
- CVE-2015-5278Jan 23, 2020risk 0.00cvss —epss 0.02
The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
- CVE-2015-5745Jan 23, 2020risk 0.00cvss —epss 0.03
Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
- CVE-2013-4532Jan 2, 2020risk 0.00cvss —epss 0.00
Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
- CVE-2019-20175Dec 31, 2019risk 0.00cvss —epss 0.03
An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a…
- CVE-2013-2016Dec 30, 2019risk 0.00cvss —epss 0.01
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the…
- CVE-2019-12068Sep 24, 2019risk 0.00cvss —epss 0.01
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to…
- CVE-2019-13164Jul 3, 2019risk 0.00cvss —epss 0.01
qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
- CVE-2019-12929Jun 24, 2019risk 0.00cvss —epss 0.05
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a…
- CVE-2019-9824Jun 3, 2019risk 0.00cvss —epss 0.01
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
- CVE-2018-20815May 31, 2019risk 0.00cvss —epss 0.04
In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.
- CVE-2019-12155May 24, 2019risk 0.00cvss —epss 0.06
interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.
- CVE-2019-12247May 22, 2019risk 0.00cvss —epss 0.03
QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable
- CVE-2019-5008Apr 19, 2019risk 0.00cvss —epss 0.03
hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.
- CVE-2018-18849Mar 17, 2019risk 0.00cvss —epss 0.01
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.
- CVE-2019-8934Mar 17, 2019risk 0.00cvss —epss 0.01
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
- CVE-2019-6778Mar 17, 2019risk 0.00cvss —epss 0.01
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.
- CVE-2019-6501Mar 17, 2019risk 0.00cvss —epss 0.01
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
- CVE-2019-3812Feb 19, 2019risk 0.00cvss —epss 0.00
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the…
- CVE-2018-20191Dec 20, 2018risk 0.00cvss —epss 0.04
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
- CVE-2018-20124Dec 20, 2018risk 0.00cvss —epss 0.00
hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.
- CVE-2018-20216Dec 20, 2018risk 0.00cvss —epss 0.04
QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).
Page 7 of 9