Search
Total
388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3019 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2024-01-10 | N/A | 6.5 MEDIUM |
| A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. | |||||
| CVE-2023-6693 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2024-01-08 | N/A | 5.3 MEDIUM |
| A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. | |||||
| CVE-2023-2680 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2023-12-28 | N/A | 8.2 HIGH |
| This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750. | |||||
| CVE-2023-4135 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2023-12-11 | N/A | 6.5 MEDIUM |
| A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed. | |||||
| CVE-2023-40360 | 1 Qemu | 1 Qemu | 2023-12-11 | N/A | 5.5 MEDIUM |
| QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled. | |||||
| CVE-2023-2861 | 1 Qemu | 1 Qemu | 2023-12-11 | N/A | 7.1 HIGH |
| A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder. | |||||
| CVE-2023-5088 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2023-12-08 | N/A | 7.0 HIGH |
| A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. | |||||
| CVE-2021-3947 | 1 Qemu | 1 Qemu | 2023-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. | |||||
| CVE-2023-0330 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2023-11-15 | N/A | 6.0 MEDIUM |
| A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. | |||||
| CVE-2022-36648 | 1 Qemu | 1 Qemu | 2023-08-26 | N/A | 10.0 CRITICAL |
| The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. | |||||
| CVE-2023-3180 | 1 Qemu | 1 Qemu | 2023-08-08 | N/A | 6.5 MEDIUM |
| A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ. | |||||
| CVE-2023-1386 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2023-08-01 | N/A | 7.8 HIGH |
| A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. | |||||
| CVE-2022-35414 | 1 Qemu | 1 Qemu | 2022-07-18 | 6.1 MEDIUM | 8.8 HIGH |
| softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. | |||||
| CVE-2021-3611 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2022-06-24 | 2.1 LOW | 6.5 MEDIUM |
| A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0. | |||||
| CVE-2021-3750 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2022-06-24 | 4.6 MEDIUM | 8.2 HIGH |
| A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0. | |||||
| CVE-2015-5239 | 5 Arista, Canonical, Fedoraproject and 2 more | 8 Eos, Ubuntu Linux, Fedora and 5 more | 2022-06-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. | |||||
| CVE-2021-3638 | 1 Qemu | 1 Qemu | 2022-06-03 | 2.1 LOW | 6.5 MEDIUM |
| An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. | |||||
| CVE-2022-26353 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. | |||||
| CVE-2021-20255 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-06-03 | 2.1 LOW | 5.5 MEDIUM |
| A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-20203 | 3 Debian, Fedoraproject, Qemu | 3 Debian Linux, Fedora, Qemu | 2022-06-01 | 2.1 LOW | 3.2 LOW |
| An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. | |||||
| CVE-2021-20295 | 1 Qemu | 1 Qemu | 2022-05-19 | 2.1 LOW | 6.5 MEDIUM |
| It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756. | |||||
| CVE-2020-35505 | 1 Qemu | 1 Qemu | 2022-05-13 | 2.1 LOW | 4.4 MEDIUM |
| A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2020-35504 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2022-05-13 | 2.1 LOW | 6.0 MEDIUM |
| A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2019-12067 | 4 Debian, Fedoraproject, Qemu and 1 more | 5 Debian Linux, Fedora, Qemu and 2 more | 2022-05-13 | 2.1 LOW | 6.5 MEDIUM |
| The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. | |||||
| CVE-2020-27661 | 1 Qemu | 1 Qemu | 2022-05-13 | 2.1 LOW | 6.5 MEDIUM |
| A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. | |||||
| CVE-2020-35503 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2022-05-13 | 2.1 LOW | 6.0 MEDIUM |
| A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3930 | 3 Debian, Qemu, Redhat | 10 Debian Linux, Qemu, Codeready Linux Builder and 7 more | 2022-05-13 | 2.1 LOW | 6.5 MEDIUM |
| An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. | |||||
| CVE-2021-3748 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2022-05-13 | 7.2 HIGH | 8.8 HIGH |
| A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. | |||||
| CVE-2021-20257 | 3 Fedoraproject, Qemu, Redhat | 7 Fedora, Qemu, Codeready Linux Builder and 4 more | 2022-05-12 | 2.1 LOW | 6.5 MEDIUM |
| An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2022-26354 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-05-12 | 2.1 LOW | 3.2 LOW |
| A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0. | |||||
| CVE-2021-3607 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2022-05-10 | 4.9 MEDIUM | 6.0 MEDIUM |
| An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3608 | 2 Fedoraproject, Qemu | 2 Fedora, Qemu | 2022-05-10 | 4.9 MEDIUM | 6.0 MEDIUM |
| A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-4207 | 3 Debian, Qemu, Redhat | 3 Debian Linux, Qemu, Enterprise Linux | 2022-05-10 | 4.6 MEDIUM | 8.8 HIGH |
| A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. | |||||
| CVE-2021-4206 | 3 Debian, Qemu, Redhat | 3 Debian Linux, Qemu, Enterprise Linux | 2022-05-10 | 4.6 MEDIUM | 8.2 HIGH |
| A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. | |||||
| CVE-2022-1050 | 1 Qemu | 1 Qemu | 2022-04-29 | 4.6 MEDIUM | 8.8 HIGH |
| A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. | |||||
| CVE-2021-3582 | 1 Qemu | 1 Qemu | 2022-04-29 | 2.1 LOW | 6.5 MEDIUM |
| A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2020-13800 | 3 Canonical, Opensuse, Qemu | 3 Ubuntu Linux, Leap, Qemu | 2022-04-28 | 4.9 MEDIUM | 6.0 MEDIUM |
| ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call. | |||||
| CVE-2021-20181 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-04-26 | 6.9 MEDIUM | 7.5 HIGH |
| A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. | |||||
| CVE-2021-20196 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-04-26 | 2.1 LOW | 6.5 MEDIUM |
| A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-3409 | 4 Debian, Fedoraproject, Qemu and 1 more | 4 Debian Linux, Fedora, Qemu and 1 more | 2022-04-26 | 4.6 MEDIUM | 5.7 MEDIUM |
| The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. | |||||
| CVE-2021-3392 | 3 Debian, Fedoraproject, Qemu | 3 Debian Linux, Fedora, Qemu | 2022-04-26 | 2.1 LOW | 3.2 LOW |
| A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. | |||||
| CVE-2015-5745 | 3 Arista, Fedoraproject, Qemu | 3 Eos, Fedora, Qemu | 2022-02-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message. | |||||
| CVE-2015-3214 | 6 Arista, Debian, Lenovo and 3 more | 19 Eos, Debian Linux, Emc Px12-400r Ivx and 16 more | 2022-02-20 | 6.9 MEDIUM | N/A |
| The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. | |||||
| CVE-2015-3209 | 8 Arista, Canonical, Debian and 5 more | 19 Eos, Ubuntu Linux, Debian Linux and 16 more | 2022-02-11 | 7.5 HIGH | N/A |
| Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. | |||||
| CVE-2021-4145 | 2 Qemu, Redhat | 2 Qemu, Enterprise Linux | 2022-02-01 | 4.9 MEDIUM | 6.5 MEDIUM |
| A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node. | |||||
| CVE-2020-27617 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-01-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. | |||||
| CVE-2021-3416 | 4 Debian, Fedoraproject, Qemu and 1 more | 4 Debian Linux, Fedora, Qemu and 1 more | 2022-01-04 | 2.1 LOW | 6.0 MEDIUM |
| A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. | |||||
| CVE-2020-25625 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2022-01-01 | 4.7 MEDIUM | 5.3 MEDIUM |
| hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. | |||||
| CVE-2020-27616 | 1 Qemu | 1 Qemu | 2022-01-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. | |||||
| CVE-2021-20263 | 1 Qemu | 1 Qemu | 2022-01-01 | 2.1 LOW | 3.3 LOW |
| A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. | |||||