CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Qemu : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4002 119 DoS Exec Code Overflow Mem. Corr. 2016-04-26 2016-04-28
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.
2 CVE-2016-2858 119 DoS Overflow Mem. Corr. 2016-04-07 2016-04-11
1.9
None Local Medium Not required None None Partial
QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.
3 CVE-2016-2857 119 DoS Overflow 2016-04-11 2016-04-14
2.1
None Local Low Not required None None Partial
The net_checksum_calculate function in net/checksum.c in QEMU allows guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
4 CVE-2016-1714 119 DoS Exec Code Overflow 2016-04-07 2016-04-22
6.9
None Local Medium Not required Complete Complete Complete
The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.
5 CVE-2016-1568 DoS Exec Code 2016-04-11 2016-04-19
9.3
None Remote Medium Not required Complete Complete Complete
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
6 CVE-2015-7512 119 DoS Exec Code Overflow 2016-01-08 2016-01-14
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.
7 CVE-2015-7295 119 DoS Overflow 2015-11-09 2015-11-10
5.0
None Remote Low Not required None None Partial
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.
8 CVE-2015-6855 264 DoS 2015-11-06 2015-11-09
10.0
None Remote Low Not required Complete Complete Complete
hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.
9 CVE-2015-5279 119 DoS Exec Code Overflow 2015-09-28 2015-09-29
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
10 CVE-2015-5225 119 DoS Exec Code Overflow Mem. Corr. 2015-11-06 2015-11-09
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.
11 CVE-2015-5158 119 DoS Overflow 2016-04-11 2016-04-14
4.3
None Remote Medium Not required None None Partial
Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.
12 CVE-2015-4106 284 DoS +Priv +Info 2015-06-03 2016-04-07
7.2
None Local Low Not required Complete Complete Complete
QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.
13 CVE-2015-4037 17 DoS 2015-08-26 2015-08-27
1.9
None Local Medium Not required None None Partial
The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.
14 CVE-2015-3456 119 DoS Exec Code Overflow 2015-05-13 2016-01-13
7.7
None Local Network Low Single system Complete Complete Complete
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
15 CVE-2015-3214 119 Exec Code Overflow 2015-08-31 2016-04-11
6.9
None Local Medium Not required Complete Complete Complete
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
16 CVE-2015-3209 119 Exec Code Overflow 2015-06-15 2016-04-11
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
17 CVE-2015-1779 399 DoS 2016-01-12 2016-01-15
7.8
None Remote Low Not required None None Complete
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
18 CVE-2014-9718 399 DoS 2015-04-21 2016-01-13
4.9
None Local Low Not required None None Complete
The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.
19 CVE-2014-8106 119 Exec Code Overflow 2014-12-08 2016-01-13
4.6
None Local Low Not required Partial Partial Partial
Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.
20 CVE-2014-7840 20 Exec Code 2014-12-12 2015-03-17
7.5
None Remote Low Not required Partial Partial Partial
The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
21 CVE-2014-7815 264 DoS 2014-11-14 2015-03-17
5.0
None Remote Low Not required None None Partial
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.
22 CVE-2014-5388 119 Overflow Mem. Corr. +Info 2014-11-15 2014-11-17
4.6
None Local Low Not required Partial Partial Partial
Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.
23 CVE-2014-5263 119 DoS Overflow +Priv Mem. Corr. 2014-08-26 2014-11-18
6.8
None Remote Medium Not required Partial Partial Partial
vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.
24 CVE-2014-3689 264 +Priv 2014-11-14 2014-11-14
7.2
None Local Low Not required Complete Complete Complete
The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
25 CVE-2014-3640 DoS 2014-11-07 2015-03-17
2.1
None Local Low Not required None None Partial
The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket.
26 CVE-2014-3615 200 +Info 2014-11-01 2014-12-06
2.1
None Local Low Not required Partial None None
The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.
27 CVE-2014-3461 119 Exec Code Overflow 2014-11-04 2014-11-05
6.8
None Remote Medium Not required Partial Partial Partial
hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."
28 CVE-2014-2894 189 Exec Code Mem. Corr. 2014-04-23 2014-11-13
7.2
None Local Low Not required Complete Complete Complete
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
29 CVE-2014-0223 189 DoS Exec Code Overflow 2014-11-04 2015-06-03
4.6
None Local Low Not required Partial Partial Partial
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.
30 CVE-2014-0222 189 DoS Overflow 2014-11-04 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.
31 CVE-2014-0182 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.
32 CVE-2014-0150 189 Exec Code Overflow 2014-04-18 2014-05-10
4.9
None Local Network Medium Single system Partial Partial Partial
Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.
33 CVE-2013-6399 94 Exec Code 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
34 CVE-2013-4544 20 DoS Exec Code 2014-05-08 2014-05-09
4.9
None Local Network Medium Single system Partial Partial Partial
hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.
35 CVE-2013-4542 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.
36 CVE-2013-4541 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.
37 CVE-2013-4540 119 Exec Code Overflow 2014-11-04 2015-11-20
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.
38 CVE-2013-4539 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.
39 CVE-2013-4538 119 DoS Exec Code Overflow Mem. Corr. 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.
40 CVE-2013-4537 94 Exec Code 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.
41 CVE-2013-4534 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.
42 CVE-2013-4533 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.
43 CVE-2013-4531 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.
44 CVE-2013-4530 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.
45 CVE-2013-4529 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.
46 CVE-2013-4527 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.
47 CVE-2013-4526 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.
48 CVE-2013-4377 399 DoS 2013-10-11 2014-03-05
2.3
None Local Network Medium Single system None None Partial
Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.
49 CVE-2013-4375 399 DoS 2014-01-19 2014-03-05
2.7
None Local Network Low Single system None None Partial
The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.
50 CVE-2013-4344 119 Overflow +Priv 2013-10-04 2015-11-20
6.0
None Local High Single system Complete Complete Complete
Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.
Total number of vulnerabilities : 74   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.