CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Qemu : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-12617 190 Overflow 2018-06-21 2018-08-23
5.0
None Remote Low Not required None None Partial
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
2 CVE-2018-11806 119 Overflow 2018-06-13 2018-10-10
7.2
None Local Low Not required Complete Complete Complete
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
3 CVE-2018-7858 125 DoS 2018-03-12 2018-07-11
2.1
None Local Low Not required None None Partial
Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.
4 CVE-2018-7550 125 Exec Code 2018-03-01 2018-09-07
4.6
None Local Low Not required Partial Partial Partial
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.
5 CVE-2018-5683 125 DoS 2018-01-23 2018-09-07
2.1
None Local Low Not required None None Partial
The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
6 CVE-2017-18043 190 DoS Overflow 2018-01-31 2018-09-07
2.1
None Local Low Not required None None Partial
Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).
7 CVE-2017-18030 125 DoS 2018-01-23 2018-09-07
2.1
None Local Low Not required None None Partial
The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.
8 CVE-2017-17381 369 DoS 2017-12-06 2018-05-31
2.1
None Local Low Not required None None Partial
The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.
9 CVE-2017-16845 125 2017-11-17 2018-09-07
7.5
None Remote Low Not required Partial Partial Partial
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
10 CVE-2017-15289 787 DoS 2017-10-16 2018-09-07
2.1
None Local Low Not required None None Partial
The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.
11 CVE-2017-15268 399 2017-10-12 2018-05-31
5.0
None Remote Low Not required None None Partial
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.
12 CVE-2017-15124 20 2018-01-09 2018-05-31
7.8
None Remote Low Not required None None Complete
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
13 CVE-2017-15119 400 DoS 2018-07-27 2018-09-24
5.0
None Remote Low Not required None None Partial
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.
14 CVE-2017-15118 787 Overflow 2018-07-27 2018-09-24
7.5
None Remote Low Not required Partial Partial Partial
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
15 CVE-2017-15038 362 +Info 2017-10-09 2018-09-07
1.9
None Local Medium Not required Partial None None
Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.
16 CVE-2017-14167 787 Exec Code Overflow 2017-09-08 2018-09-07
7.2
None Local Low Not required Complete Complete Complete
Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.
17 CVE-2017-13711 416 DoS 2017-09-01 2018-04-12
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.
18 CVE-2017-13673 20 DoS 2017-08-29 2018-04-12
4.0
None Remote Low Single system None None Partial
The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function.
19 CVE-2017-13672 125 DoS 2017-09-01 2018-07-11
2.1
None Local Low Not required None None Partial
QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.
20 CVE-2017-12809 476 DoS 2017-08-23 2017-11-03
2.1
None Local Low Not required None None Partial
QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive.
21 CVE-2017-11434 125 DoS 2017-07-25 2018-09-07
2.1
None Local Low Not required None None Partial
The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.
22 CVE-2017-11334 125 DoS 2017-08-02 2018-03-15
2.1
None Local Low Not required None None Partial
The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area.
23 CVE-2017-10806 119 DoS Overflow 2017-08-02 2018-09-07
2.1
None Local Low Not required None None Partial
Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.
24 CVE-2017-10664 19 DoS 2017-08-02 2018-01-04
5.0
None Remote Low Not required None None Partial
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.
25 CVE-2017-9524 20 DoS 2017-07-06 2018-01-04
5.0
None Remote Low Not required None None Partial
The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function.
26 CVE-2017-9503 476 DoS 2017-06-16 2018-09-07
1.9
None Local Medium Not required None None Partial
QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.
27 CVE-2017-9375 20 DoS 2017-06-16 2018-01-04
1.9
None Local Medium Not required None None Partial
QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.
28 CVE-2017-9374 119 DoS Overflow 2017-06-16 2018-09-07
2.1
None Local Low Not required None None Partial
Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.
29 CVE-2017-9373 119 DoS Overflow 2017-06-16 2018-09-07
1.9
None Local Medium Not required None None Partial
Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.
30 CVE-2017-9330 20 DoS 2017-06-08 2018-09-07
1.9
None Local Medium Not required None None Partial
QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505.
31 CVE-2017-9310 20 DoS 2017-06-08 2018-01-04
1.9
None Local Medium Not required None None Partial
QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer.
32 CVE-2017-9060 399 DoS 2017-06-01 2017-06-30
4.9
None Local Low Not required None None Complete
Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands.
33 CVE-2017-8380 119 Overflow 2017-08-28 2017-09-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.
34 CVE-2017-8379 399 DoS 2017-05-23 2018-09-07
4.9
None Local Low Not required None None Complete
Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.
35 CVE-2017-8309 399 DoS 2017-05-23 2018-09-07
7.8
None Remote Low Not required None None Complete
Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
36 CVE-2017-8284 264 +Priv 2017-04-26 2017-05-10
6.9
None Local Medium Not required Complete Complete Complete
** DISPUTED ** The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes."
37 CVE-2017-8112 400 DoS 2017-05-02 2018-09-07
4.9
None Local Low Not required None None Complete
hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.
38 CVE-2017-8086 399 DoS 2017-05-02 2018-09-07
4.9
None Local Low Not required None None Complete
Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.
39 CVE-2017-7980 119 DoS Exec Code Overflow 2017-07-25 2018-09-07
4.6
None Local Low Not required Partial Partial Partial
Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.
40 CVE-2017-7718 125 DoS 2017-04-20 2018-09-07
2.1
None Local Low Not required None None Partial
hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.
41 CVE-2017-7539 20 DoS 2018-07-26 2018-10-01
5.0
None Remote Low Not required None None Partial
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.
42 CVE-2017-7493 284 2017-05-17 2018-09-07
4.6
None Local Low Not required Partial Partial Partial
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.
43 CVE-2017-7471 284 2018-07-09 2018-09-06
7.7
None Local Network Low Single system Complete Complete Complete
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
44 CVE-2017-7377 399 DoS 2017-04-10 2018-09-07
2.1
None Local Low Not required None None Partial
The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.
45 CVE-2017-6505 20 DoS 2017-03-15 2018-09-07
2.1
None Local Low Not required None None Partial
The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330.
46 CVE-2017-6058 125 DoS Overflow 2017-03-20 2017-06-30
5.0
None Remote Low Not required None None Partial
Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping.
47 CVE-2017-5987 399 DoS 2017-03-20 2018-09-07
2.1
None Local Low Not required None None Partial
The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.
48 CVE-2017-5973 399 DoS 2017-03-27 2018-09-07
2.1
None Local Low Not required None None Partial
The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.
49 CVE-2017-5957 119 DoS Overflow 2017-03-14 2017-07-10
2.1
None Local Low Not required None None Partial
Stack-based buffer overflow in the vrend_decode_set_framebuffer_state function in vrend_decode.c in virglrenderer before 926b9b3460a48f6454d8bbe9e44313d86a65447f, as used in Quick Emulator (QEMU), allows a local guest users to cause a denial of service (application crash) via the "nr_cbufs" argument.
50 CVE-2017-5931 190 DoS Exec Code Overflow 2017-03-27 2017-06-30
7.2
None Local Low Not required Complete Complete Complete
Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.
Total number of vulnerabilities : 242   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.