CVE-2013-4377 : Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 thro

Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.

Published 2013-10-11 22:55:40

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2013-4377

Qemu » Qemu » Version: 1.4.1
cpe:2.3:a:qemu:qemu:1.4.1:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.0 Update RC1
cpe:2.3:a:qemu:qemu:1.5.0:rc1:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.0 Update RC2
cpe:2.3:a:qemu:qemu:1.5.0:rc2:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.0
cpe:2.3:a:qemu:qemu:1.5.0:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.4.2
cpe:2.3:a:qemu:qemu:1.4.2:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.6.0 Update RC3
cpe:2.3:a:qemu:qemu:1.6.0:rc3:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.6.0 Update RC2
cpe:2.3:a:qemu:qemu:1.6.0:rc2:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.6.0 Update RC1
cpe:2.3:a:qemu:qemu:1.6.0:rc1:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.6.0
cpe:2.3:a:qemu:qemu:1.6.0:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.2
cpe:2.3:a:qemu:qemu:1.5.2:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.0 Update RC3
cpe:2.3:a:qemu:qemu:1.5.0:rc3:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.3
cpe:2.3:a:qemu:qemu:1.5.3:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.5.1
cpe:2.3:a:qemu:qemu:1.5.1:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 1.4.0
cpe:2.3:a:qemu:qemu:1.4.0:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2013-4377

Top countries where our scanners detected CVE-2013-4377

Top open port discovered on systems with this issue 22

IPs affected by CVE-2013-4377 1

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2013-4377!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2013-4377

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-4377

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
2.3	LOW	AV:A/AC:M/Au:S/C:N/I:N/A:P	4.4	2.9	NIST
Access Vector: Adjacent Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2013-4377

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-4377

http://www.openwall.com/lists/oss-security/2013/09/26/5

oss-security - Re: CVE request: qemu host crash from within guest
https://bugzilla.redhat.com/show_bug.cgi?id=1012633

1012633 – (CVE-2013-4377) CVE-2013-4377 qemu: hot-unplugging virtio devices in guest can crash host qemu process
http://secunia.com/advisories/55015

Sign in
Vendor Advisory
http://www.ubuntu.com/usn/USN-2092-1

USN-2092-1: QEMU vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.nongnu.org/archive/html/qemu-devel/2013-09/msg03347.html

[Qemu-devel] [PATCH 11/11] virtio-pci: add device_unplugged callback
Patch