# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-4172 |
190 |
|
Overflow |
2022-11-29 |
2023-01-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. |
2 |
CVE-2022-4144 |
125 |
|
DoS |
2022-11-29 |
2023-01-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. |
3 |
CVE-2022-3872 |
193 |
|
DoS |
2022-11-07 |
2022-12-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. |
4 |
CVE-2022-3165 |
191 |
|
DoS |
2022-10-17 |
2023-01-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. |
5 |
CVE-2022-2962 |
787 |
|
DoS Overflow |
2022-09-13 |
2022-09-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. |
6 |
CVE-2022-0358 |
273 |
|
+Priv |
2022-08-29 |
2022-12-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system. |
7 |
CVE-2022-0216 |
416 |
|
DoS |
2022-08-26 |
2022-12-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. |
8 |
CVE-2021-4158 |
476 |
|
DoS |
2022-08-24 |
2022-09-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. |
9 |
CVE-2021-3929 |
416 |
|
DoS |
2022-08-25 |
2022-10-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host. |
10 |
CVE-2021-3735 |
400 |
|
DoS |
2022-08-26 |
2022-09-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. |
11 |
CVE-2020-14394 |
835 |
|
DoS |
2022-08-17 |
2022-12-14 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. |
12 |
CVE-2014-0148 |
835 |
|
|
2022-09-29 |
2022-10-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS. |
13 |
CVE-2014-0147 |
190 |
|
|
2022-09-29 |
2022-10-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine. |
14 |
CVE-2014-0144 |
20 |
|
Exec Code Overflow Mem. Corr. |
2022-09-29 |
2022-10-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process. |