Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.
Max CVSS
4.6
EPSS Score
0.10%
Published
2014-12-08
Updated
2023-02-13
The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
Max CVSS
7.5
EPSS Score
7.88%
Published
2014-12-12
Updated
2023-02-13
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.
Max CVSS
5.0
EPSS Score
89.07%
Published
2014-11-14
Updated
2023-02-13
Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.
Max CVSS
4.6
EPSS Score
0.06%
Published
2014-11-15
Updated
2023-02-13
vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.
Max CVSS
6.8
EPSS Score
0.56%
Published
2014-08-26
Updated
2014-11-19
The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
Max CVSS
7.2
EPSS Score
0.06%
Published
2014-11-14
Updated
2023-02-13
The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-11-07
Updated
2023-02-13
The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.
Max CVSS
2.1
EPSS Score
0.06%
Published
2014-11-01
Updated
2020-08-11
hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."
Max CVSS
6.8
EPSS Score
5.88%
Published
2014-11-04
Updated
2023-02-13
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
Max CVSS
7.2
EPSS Score
0.04%
Published
2014-04-23
Updated
2023-02-13
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.
Max CVSS
4.6
EPSS Score
0.04%
Published
2014-11-04
Updated
2023-02-13
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.
Max CVSS
7.5
EPSS Score
3.99%
Published
2014-11-04
Updated
2023-02-13
Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.
Max CVSS
7.5
EPSS Score
7.94%
Published
2014-11-04
Updated
2023-02-13
Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.
Max CVSS
4.9
EPSS Score
0.09%
Published
2014-04-18
Updated
2020-11-02
Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
Max CVSS
7.5
EPSS Score
6.63%
Published
2014-11-04
Updated
2023-02-13
hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.
Max CVSS
4.9
EPSS Score
0.10%
Published
2014-05-08
Updated
2023-02-13
The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.
Max CVSS
7.5
EPSS Score
6.96%
Published
2014-11-04
Updated
2023-02-13
The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.
Max CVSS
7.5
EPSS Score
6.96%
Published
2014-11-04
Updated
2023-02-13
Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.
Max CVSS
7.5
EPSS Score
5.46%
Published
2014-11-04
Updated
2023-02-13
Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.
Max CVSS
7.5
EPSS Score
6.33%
Published
2014-11-04
Updated
2023-02-13
Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.
Max CVSS
7.5
EPSS Score
6.48%
Published
2014-11-04
Updated
2023-02-13
The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.
Max CVSS
7.5
EPSS Score
5.48%
Published
2014-11-04
Updated
2023-02-13
Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.
Max CVSS
7.5
EPSS Score
6.21%
Published
2014-11-04
Updated
2023-02-13
Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.
Max CVSS
7.5
EPSS Score
6.21%
Published
2014-11-04
Updated
2023-02-13
Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.
Max CVSS
7.5
EPSS Score
6.21%
Published
2014-11-04
Updated
2023-02-13