VYPR

Vendor CVEs

QEMU

All CVEs

438 total · sorted by risk
  • CVE-2020-12829Aug 31, 2020
    risk 0.00cvss epss 0.00

    In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU…

  • CVE-2020-14415Aug 27, 2020
    risk 0.00cvss epss 0.00

    oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.

  • CVE-2020-16092Aug 11, 2020
    risk 0.00cvss epss 0.00

    In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition…

  • CVE-2020-15863Jul 28, 2020
    risk 0.00cvss epss 0.00

    hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host,…

  • CVE-2020-15859Jul 21, 2020
    risk 0.00cvss epss 0.00

    QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.

  • CVE-2020-10756Jul 9, 2020
    risk 0.00cvss epss 0.01

    An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents…

  • CVE-2020-15469Jul 2, 2020
    risk 0.00cvss epss 0.00

    In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

  • CVE-2020-10761Jun 9, 2020
    risk 0.00cvss epss 0.02

    An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use…

  • CVE-2020-10702Jun 4, 2020
    risk 0.00cvss epss 0.00

    A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same…

  • CVE-2020-13765Jun 4, 2020
    risk 0.00cvss epss 0.02

    rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.

  • CVE-2020-13791Jun 4, 2020
    risk 0.00cvss epss 0.00

    hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.

  • CVE-2020-13800Jun 4, 2020
    risk 0.00cvss epss 0.00

    ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.

  • CVE-2020-13754Jun 2, 2020
    risk 0.00cvss epss 0.00

    hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.

  • CVE-2020-13659Jun 2, 2020
    risk 0.00cvss epss 0.00

    address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.

  • CVE-2020-13362May 28, 2020
    risk 0.00cvss epss 0.00

    In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.

  • CVE-2020-13361May 28, 2020
    risk 0.00cvss epss 0.00

    In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

  • CVE-2020-13253May 27, 2020
    risk 0.00cvss epss 0.00

    sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.

  • CVE-2020-10717May 4, 2020
    risk 0.00cvss epss 0.00

    A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors…

  • CVE-2020-11869Apr 27, 2020
    risk 0.00cvss epss 0.00

    An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this…

  • CVE-2020-11102Apr 6, 2020
    risk 0.00cvss epss 0.02

    hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.

  • CVE-2019-15034Mar 10, 2020
    risk 0.00cvss epss 0.00

    hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.

  • CVE-2019-20382Mar 5, 2020
    risk 0.00cvss epss 0.01

    QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.

  • CVE-2020-1711Feb 11, 2020
    risk 0.00cvss epss 0.04

    An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote…

  • CVE-2013-4535Feb 11, 2020
    risk 0.00cvss epss 0.01

    The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.

  • CVE-2014-0148Feb 11, 2020
    risk 0.00cvss epss 0.00

    Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like…

  • CVE-2014-0147Feb 11, 2020
    risk 0.00cvss epss 0.00

    Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount()…

  • CVE-2014-0144Feb 11, 2020
    risk 0.00cvss epss 0.01

    QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host…

  • CVE-2015-6815Jan 31, 2020
    risk 0.00cvss epss 0.01

    The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.

  • CVE-2015-5239Jan 23, 2020
    risk 0.00cvss epss 0.04

    Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.

  • CVE-2015-5278Jan 23, 2020
    risk 0.00cvss epss 0.02

    The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.

  • CVE-2015-5745Jan 23, 2020
    risk 0.00cvss epss 0.03

    Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.

  • CVE-2013-4532Jan 2, 2020
    risk 0.00cvss epss 0.00

    Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

  • CVE-2019-20175Dec 31, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a…

  • CVE-2013-2016Dec 30, 2019
    risk 0.00cvss epss 0.01

    A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the…

  • CVE-2019-12068Sep 24, 2019
    risk 0.00cvss epss 0.01

    In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to…

  • CVE-2019-13164Jul 3, 2019
    risk 0.00cvss epss 0.01

    qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.

  • CVE-2019-12929Jun 24, 2019
    risk 0.00cvss epss 0.05

    The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a…

  • CVE-2019-9824Jun 3, 2019
    risk 0.00cvss epss 0.01

    tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.

  • CVE-2018-20815May 31, 2019
    risk 0.00cvss epss 0.04

    In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.

  • CVE-2019-12155May 24, 2019
    risk 0.00cvss epss 0.06

    interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.

  • CVE-2019-12247May 22, 2019
    risk 0.00cvss epss 0.03

    QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable

  • CVE-2019-5008Apr 19, 2019
    risk 0.00cvss epss 0.03

    hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.

  • CVE-2018-18849Mar 17, 2019
    risk 0.00cvss epss 0.01

    In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.

  • CVE-2019-8934Mar 17, 2019
    risk 0.00cvss epss 0.01

    hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

  • CVE-2019-6778Mar 17, 2019
    risk 0.00cvss epss 0.01

    In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.

  • CVE-2019-6501Mar 17, 2019
    risk 0.00cvss epss 0.01

    In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.

  • CVE-2019-3812Feb 19, 2019
    risk 0.00cvss epss 0.00

    QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the…

  • CVE-2018-20191Dec 20, 2018
    risk 0.00cvss epss 0.04

    hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).

  • CVE-2018-20124Dec 20, 2018
    risk 0.00cvss epss 0.00

    hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.

  • CVE-2018-20216Dec 20, 2018
    risk 0.00cvss epss 0.04

    QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).

Page 7 of 9