CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Qemu : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-20263 281 2021-03-09 2021-04-06
2.1
None Local Low Not required None Partial None
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
2 CVE-2021-20255 835 DoS Overflow 2021-03-09 2021-04-11
2.1
None Local Low Not required None None Partial
A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
3 CVE-2021-20221 125 2021-05-13 2021-06-04
2.1
None Local Low Not required None None Partial
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
4 CVE-2021-20203 190 Overflow 2021-02-25 2021-04-11
2.1
None Local Low Not required None None Partial
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
5 CVE-2021-20196 476 DoS 2021-05-26 2021-06-04
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
6 CVE-2021-20181 416 2021-05-13 2021-06-04
6.9
None Local Medium Not required Complete Complete Complete
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
7 CVE-2021-3546 787 DoS Exec Code 2021-06-02 2021-06-17
4.6
None Local Low Not required Partial Partial Partial
A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
8 CVE-2021-3545 200 +Info 2021-06-02 2021-06-09
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.
9 CVE-2021-3544 401 2021-06-02 2021-06-11
2.1
None Local Low Not required None None Partial
Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.
10 CVE-2021-3527 770 DoS 2021-05-26 2021-06-03
2.1
None Local Low Not required None None Partial
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
11 CVE-2021-3507 119 Overflow +Info 2021-05-06 2021-06-01
3.6
None Local Low Not required Partial None Partial
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
12 CVE-2021-3416 835 Overflow Bypass 2021-03-18 2021-04-11
2.1
None Local Low Not required None None Partial
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.
13 CVE-2021-3409 119 DoS Exec Code Overflow 2021-03-23 2021-04-11
4.6
None Local Low Not required Partial Partial Partial
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.
14 CVE-2021-3392 416 DoS 2021-03-23 2021-04-11
2.1
None Local Low Not required None None Partial
A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.
15 CVE-2020-35517 269 2021-01-28 2021-06-01
4.6
None Local Low Not required Partial Partial Partial
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.
16 CVE-2020-35506 416 DoS Exec Code 2021-05-28 2021-06-08
4.6
None Local Low Not required Partial Partial Partial
A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
17 CVE-2020-35505 476 DoS 2021-05-28 2021-06-14
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
18 CVE-2020-35504 476 DoS 2021-05-28 2021-06-02
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
19 CVE-2020-35503 476 DoS 2021-06-02 2021-06-11
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
20 CVE-2020-29443 125 2021-01-26 2021-03-15
3.3
None Local Medium Not required Partial None Partial
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
21 CVE-2020-28916 835 2020-12-04 2021-02-24
2.1
None Local Low Not required None None Partial
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
22 CVE-2020-27821 787 DoS 2020-12-08 2021-01-15
2.1
None Local Low Not required None None Partial
A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
23 CVE-2020-27661 369 DoS 2021-06-02 2021-06-14
2.1
None Local Low Not required None None Partial
A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
24 CVE-2020-27617 617 2020-11-06 2020-12-02
4.0
None Remote Low ??? None None Partial
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
25 CVE-2020-27616 682 2020-11-06 2020-12-02
4.0
None Remote Low ??? None None Partial
ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.
26 CVE-2020-25743 476 2020-10-06 2020-10-07
2.1
None Local Low Not required None None Partial
hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
27 CVE-2020-25742 476 2020-10-06 2020-10-07
2.1
None Local Low Not required None None Partial
pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
28 CVE-2020-25741 476 2020-10-02 2020-10-14
2.1
None Local Low Not required None None Partial
fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
29 CVE-2020-25723 617 DoS 2020-12-02 2020-12-28
2.1
None Local Low Not required None None Partial
A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
30 CVE-2020-25625 835 2020-09-25 2020-11-29
4.7
None Local Medium Not required None None Complete
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
31 CVE-2020-25624 125 2020-11-30 2020-12-10
4.4
None Local Medium Not required Partial Partial Partial
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
32 CVE-2020-25085 787 Overflow 2020-09-25 2021-03-15
4.4
None Local Medium Not required Partial Partial Partial
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
33 CVE-2020-25084 416 2020-09-25 2021-02-24
2.1
None Local Low Not required None None Partial
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
34 CVE-2020-24352 119 DoS Overflow 2020-10-16 2020-12-14
2.1
None Local Low Not required None None Partial
An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
35 CVE-2020-17380 787 DoS Exec Code Overflow 2021-01-30 2021-04-11
4.6
None Local Low Not required Partial Partial Partial
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
36 CVE-2020-16092 617 DoS 2020-08-11 2020-10-13
2.1
None Local Low Not required None None Partial
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
37 CVE-2020-15863 787 DoS Exec Code Overflow 2020-07-28 2021-01-04
4.4
None Local Medium Not required Partial Partial Partial
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
38 CVE-2020-15859 416 2020-07-21 2021-02-24
2.1
None Local Low Not required None None Partial
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
39 CVE-2020-15469 476 2020-07-02 2021-02-24
2.1
None Local Low Not required None None Partial
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
40 CVE-2020-14415 369 2020-08-27 2020-09-02
2.1
None Local Low Not required None None Partial
oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.
41 CVE-2020-14364 125 DoS Exec Code 2020-08-31 2020-11-11
4.4
None Local Medium Not required Partial Partial Partial
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
42 CVE-2020-13800 835 2020-06-04 2020-11-11
4.9
None Local Low Not required None None Complete
ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.
43 CVE-2020-13791 125 2020-06-04 2020-12-14
2.1
None Local Low Not required None None Partial
hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.
44 CVE-2020-13765 787 2020-06-04 2021-01-04
6.8
None Remote Medium Not required Partial Partial Partial
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
45 CVE-2020-13754 119 Overflow 2020-06-02 2020-12-14
4.6
None Local Low Not required Partial Partial Partial
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.
46 CVE-2020-13659 476 2020-06-02 2020-11-11
1.9
None Local Medium Not required None None Partial
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
47 CVE-2020-13362 125 2020-05-28 2020-11-11
2.1
None Local Low Not required None None Partial
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
48 CVE-2020-13361 787 2020-05-28 2020-11-11
3.3
None Local Medium Not required None Partial Partial
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
49 CVE-2020-13253 125 2020-05-27 2020-12-14
2.1
None Local Low Not required None None Partial
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
50 CVE-2020-12829 190 DoS Overflow 2020-08-31 2020-12-14
2.1
None Local Low Not required None None Partial
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.
Total number of vulnerabilities : 350   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.