Search
Total
388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3689 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-08-11 | 7.2 HIGH | N/A |
| The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. | |||||
| CVE-2013-4344 | 4 Canonical, Opensuse, Qemu and 1 more | 8 Ubuntu Linux, Opensuse, Qemu and 5 more | 2020-08-11 | 7.2 HIGH | N/A |
| Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. | |||||
| CVE-2019-12068 | 4 Canonical, Debian, Opensuse and 1 more | 4 Ubuntu Linux, Debian Linux, Leap and 1 more | 2020-07-26 | 2.1 LOW | 3.8 LOW |
| In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. | |||||
| CVE-2019-20382 | 2 Opensuse, Qemu | 2 Leap, Qemu | 2020-07-26 | 2.7 LOW | 3.5 LOW |
| QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. | |||||
| CVE-2020-10702 | 1 Qemu | 1 Qemu | 2020-07-24 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU. | |||||
| CVE-2020-11869 | 1 Qemu | 1 Qemu | 2020-05-28 | 2.1 LOW | 3.3 LOW |
| An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. | |||||
| CVE-2019-15034 | 1 Qemu | 1 Qemu | 2020-05-28 | 4.4 MEDIUM | 5.8 MEDIUM |
| hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. | |||||
| CVE-2016-3712 | 6 Canonical, Citrix, Debian and 3 more | 11 Ubuntu Linux, Xenserver, Debian Linux and 8 more | 2020-05-14 | 2.1 LOW | 5.5 MEDIUM |
| Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. | |||||
| CVE-2016-4439 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-05-14 | 4.6 MEDIUM | 6.7 MEDIUM |
| The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. | |||||
| CVE-2016-4441 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-05-14 | 2.1 LOW | 6.0 MEDIUM |
| The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. | |||||
| CVE-2018-16867 | 3 Canonical, Fedoraproject, Qemu | 3 Ubuntu Linux, Fedora, Qemu | 2020-05-14 | 4.4 MEDIUM | 7.8 HIGH |
| A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. | |||||
| CVE-2018-16847 | 2 Canonical, Qemu | 2 Ubuntu Linux, Qemu | 2020-05-14 | 4.6 MEDIUM | 7.8 HIGH |
| An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process. | |||||
| CVE-2018-7550 | 4 Canonical, Debian, Qemu and 1 more | 9 Ubuntu Linux, Debian Linux, Qemu and 6 more | 2020-05-14 | 4.6 MEDIUM | 8.8 HIGH |
| The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. | |||||
| CVE-2018-5683 | 4 Canonical, Debian, Qemu and 1 more | 9 Ubuntu Linux, Debian Linux, Qemu and 6 more | 2020-05-14 | 2.1 LOW | 6.0 MEDIUM |
| The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. | |||||
| CVE-2016-4454 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-05-14 | 3.6 LOW | 6.0 MEDIUM |
| The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. | |||||
| CVE-2016-4453 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-05-14 | 4.9 MEDIUM | 4.4 MEDIUM |
| The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. | |||||
| CVE-2016-4037 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2020-05-14 | 4.9 MEDIUM | 6.0 MEDIUM |
| The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. | |||||
| CVE-2020-11102 | 1 Qemu | 1 Qemu | 2020-05-13 | 6.8 MEDIUM | 5.6 MEDIUM |
| hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length. | |||||
| CVE-2018-19489 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2020-05-12 | 1.9 LOW | 4.7 MEDIUM |
| v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming. | |||||
| CVE-2018-19364 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2020-05-12 | 2.1 LOW | 5.5 MEDIUM |
| hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. | |||||
| CVE-2018-20191 | 3 Canonical, Fedoraproject, Qemu | 3 Ubuntu Linux, Fedora, Qemu | 2020-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). | |||||
| CVE-2018-20124 | 2 Canonical, Qemu | 2 Ubuntu Linux, Qemu | 2020-05-12 | 2.1 LOW | 5.5 MEDIUM |
| hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. | |||||
| CVE-2018-20125 | 2 Canonical, Qemu | 2 Ubuntu Linux, Qemu | 2020-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. | |||||
| CVE-2018-20126 | 3 Canonical, Opensuse, Qemu | 3 Ubuntu Linux, Leap, Qemu | 2020-05-12 | 2.1 LOW | 5.5 MEDIUM |
| hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. | |||||
| CVE-2018-20123 | 3 Canonical, Fedoraproject, Qemu | 3 Ubuntu Linux, Fedora, Qemu | 2020-05-12 | 2.1 LOW | 5.5 MEDIUM |
| pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error. | |||||
| CVE-2018-20216 | 2 Canonical, Qemu | 2 Ubuntu Linux, Qemu | 2020-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). | |||||
| CVE-2013-4535 | 2 Qemu, Redhat | 6 Qemu, Enterprise Linux Desktop, Enterprise Linux Server and 3 more | 2020-02-13 | 7.2 HIGH | 8.8 HIGH |
| The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. | |||||
| CVE-2020-7211 | 3 Libslirp Project, Microsoft, Qemu | 3 Libslirp, Windows, Qemu | 2020-01-23 | 5.0 MEDIUM | 7.5 HIGH |
| tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. | |||||
| CVE-2013-2016 | 3 Debian, Novell, Qemu | 4 Debian Linux, Open Desktop Server, Open Enterprise Server and 1 more | 2020-01-17 | 6.9 MEDIUM | 7.8 HIGH |
| A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. | |||||
| CVE-2013-4532 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-01-15 | 4.6 MEDIUM | 7.8 HIGH |
| Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | |||||
| CVE-2019-20175 | 1 Qemu | 1 Qemu | 2020-01-15 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert." | |||||
| CVE-2016-1714 | 3 Oracle, Qemu, Redhat | 3 Linux, Qemu, Openstack | 2019-12-27 | 6.9 MEDIUM | 8.1 HIGH |
| The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration. | |||||
| CVE-2017-2633 | 2 Qemu, Redhat | 6 Qemu, Enterprise Linux Desktop, Enterprise Linux Server and 3 more | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. | |||||
| CVE-2017-15118 | 3 Canonical, Qemu, Redhat | 3 Ubuntu Linux, Qemu, Enterprise Linux | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS. | |||||
| CVE-2017-15119 | 4 Canonical, Debian, Qemu and 1 more | 4 Ubuntu Linux, Debian Linux, Qemu and 1 more | 2019-10-09 | 5.0 MEDIUM | 8.6 HIGH |
| The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. | |||||
| CVE-2016-9602 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
| Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. | |||||
| CVE-2017-8284 | 1 Qemu | 1 Qemu | 2019-10-03 | 6.9 MEDIUM | 7.0 HIGH |
| ** DISPUTED ** The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes." | |||||
| CVE-2017-15268 | 1 Qemu | 1 Qemu | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. | |||||
| CVE-2017-13673 | 1 Qemu | 1 Qemu | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. | |||||
| CVE-2018-10839 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2019-09-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. | |||||
| CVE-2019-15890 | 2 Libslirp Project, Qemu | 2 Libslirp, Qemu | 2019-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. | |||||
| CVE-2019-6501 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2019-08-06 | 2.1 LOW | 5.5 MEDIUM |
| In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations. | |||||
| CVE-2018-20815 | 1 Qemu | 1 Qemu | 2019-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. | |||||
| CVE-2018-18954 | 3 Canonical, Opensuse, Qemu | 3 Ubuntu Linux, Leap, Qemu | 2019-05-31 | 2.1 LOW | 5.5 MEDIUM |
| The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. | |||||
| CVE-2018-18849 | 4 Canonical, Fedoraproject, Opensuse and 1 more | 4 Ubuntu Linux, Fedora, Leap and 1 more | 2019-05-31 | 2.1 LOW | 5.5 MEDIUM |
| In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. | |||||
| CVE-2019-3812 | 4 Canonical, Fedoraproject, Opensuse and 1 more | 4 Ubuntu Linux, Fedora, Leap and 1 more | 2019-05-31 | 2.1 LOW | 5.5 MEDIUM |
| QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. | |||||
| CVE-2019-12247 | 1 Qemu | 1 Qemu | 2019-05-30 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable. | |||||
| CVE-2019-5008 | 1 Qemu | 1 Qemu | 2019-05-14 | 5.0 MEDIUM | 7.5 HIGH |
| hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. | |||||
| CVE-2014-0143 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2019-04-22 | 4.4 MEDIUM | 7.0 HIGH |
| Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes. | |||||
| CVE-2011-4111 | 2 Qemu, Redhat | 3 Qemu, Enterprise Linux, Enterprise Linux Server Supplementary | 2019-04-22 | 6.8 MEDIUM | N/A |
| Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message. | |||||