| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-1050 |
416 |
|
Exec Code |
2022-03-29 |
2022-12-06 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. |
|
2 |
CVE-2021-4207 |
362 |
|
Exec Code Overflow |
2022-04-29 |
2022-11-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. |
|
3 |
CVE-2021-4206 |
190 |
|
Exec Code Overflow |
2022-04-29 |
2022-09-23 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. |
|
4 |
CVE-2021-4145 |
476 |
|
|
2022-01-25 |
2022-09-28 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node. |
|
5 |
CVE-2021-3750 |
416 |
|
DoS Exec Code |
2022-05-02 |
2023-02-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. |
|
6 |
CVE-2021-3713 |
787 |
|
Exec Code |
2021-08-25 |
2022-10-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. |
|
7 |
CVE-2021-3608 |
824 |
|
|
2022-02-24 |
2022-10-26 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. |
|
8 |
CVE-2021-3607 |
190 |
|
DoS Overflow |
2022-02-24 |
2022-10-26 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. |
|
9 |
CVE-2021-3546 |
787 |
|
DoS Exec Code |
2021-06-02 |
2022-10-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. |
|
10 |
CVE-2021-3409 |
119 |
|
DoS Exec Code Overflow |
2021-03-23 |
2022-09-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. |
|
11 |
CVE-2020-35517 |
269 |
|
|
2021-01-28 |
2023-02-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
|
12 |
CVE-2020-35506 |
416 |
|
DoS Exec Code |
2021-05-28 |
2022-08-31 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. |
|
13 |
CVE-2020-27617 |
617 |
|
|
2020-11-06 |
2022-09-23 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. |
|
14 |
CVE-2020-27616 |
682 |
|
|
2020-11-06 |
2022-01-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. |
|
15 |
CVE-2020-25625 |
835 |
|
|
2020-09-25 |
2022-09-23 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. |
|
16 |
CVE-2020-25624 |
125 |
|
|
2020-11-30 |
2022-09-23 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. |
|
17 |
CVE-2020-25085 |
787 |
|
Overflow |
2020-09-25 |
2022-09-23 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. |
|
18 |
CVE-2020-17380 |
787 |
|
DoS Exec Code Overflow |
2021-01-30 |
2022-10-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. |
|
19 |
CVE-2020-15863 |
787 |
|
DoS Exec Code Overflow |
2020-07-28 |
2022-09-30 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555. |
|
20 |
CVE-2020-14364 |
125 |
|
DoS Exec Code |
2020-08-31 |
2022-11-16 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. |
|
21 |
CVE-2020-13800 |
674 |
|
|
2020-06-04 |
2022-04-28 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call. |
|
22 |
CVE-2020-13754 |
119 |
|
Overflow |
2020-06-02 |
2020-12-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. |
|
23 |
CVE-2020-10761 |
617 |
|
DoS |
2020-06-09 |
2022-11-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service. |
|
24 |
CVE-2019-15034 |
120 |
|
Overflow |
2020-03-10 |
2020-05-28 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. |
|
25 |
CVE-2019-13164 |
|
|
Bypass |
2019-07-03 |
2022-10-06 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. |
|
26 |
CVE-2019-6778 |
787 |
|
Overflow |
2019-03-21 |
2020-08-24 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. |
|
27 |
CVE-2018-16867 |
362 |
|
Exec Code |
2018-12-12 |
2020-05-14 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. |
|
28 |
CVE-2018-16847 |
125 |
|
|
2018-11-02 |
2020-05-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process. |
|
29 |
CVE-2018-10839 |
190 |
|
Overflow |
2018-10-16 |
2023-02-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
An integer overflow issue was found in the NE200 NIC emulation. It could occur while receiving packets from the network, if the size value was greater than INT_MAX. Such overflow would lead to stack buffer overflow issue. A user inside guest could use this flaw to crash the QEMU process, resulting in DoS scenario. |
|
30 |
CVE-2018-7550 |
125 |
|
Exec Code |
2018-03-01 |
2020-05-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. |
|
31 |
CVE-2017-13673 |
617 |
|
DoS |
2017-08-29 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. |
|
32 |
CVE-2017-9060 |
401 |
|
DoS |
2017-06-01 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands. |
|
33 |
CVE-2017-8379 |
772 |
|
DoS |
2017-05-23 |
2021-08-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events. |
|
34 |
CVE-2017-8112 |
835 |
|
DoS |
2017-05-02 |
2020-09-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count. |
|
35 |
CVE-2017-8086 |
772 |
|
DoS |
2017-05-02 |
2020-09-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable. |
|
36 |
CVE-2017-7980 |
119 |
|
DoS Exec Code Overflow |
2017-07-25 |
2021-08-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. |
|
37 |
CVE-2017-7493 |
732 |
|
|
2017-05-17 |
2020-10-23 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. |
|
38 |
CVE-2017-5857 |
401 |
|
DoS |
2017-03-16 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. |
|
39 |
CVE-2017-5856 |
401 |
|
DoS |
2017-03-16 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. |
|
40 |
CVE-2017-5579 |
401 |
|
|
2017-03-15 |
2023-02-02 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
CVE-2017-5579 Qemu: serial: host memory leakage 16550A UART emulation |
|
41 |
CVE-2017-5578 |
401 |
|
DoS |
2017-03-15 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. |
|
42 |
CVE-2017-5552 |
401 |
|
DoS |
2017-03-15 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. |
|
43 |
CVE-2017-5526 |
401 |
|
DoS |
2017-03-15 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
44 |
CVE-2017-5525 |
401 |
|
DoS |
2017-03-15 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
45 |
CVE-2017-2633 |
125 |
|
|
2018-07-27 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. |
|
46 |
CVE-2016-10155 |
401 |
|
DoS |
2017-03-15 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
47 |
CVE-2016-9916 |
401 |
|
DoS |
2016-12-29 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. |
|
48 |
CVE-2016-9915 |
401 |
|
DoS |
2016-12-29 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. |
|
49 |
CVE-2016-9914 |
401 |
|
DoS |
2016-12-29 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. |
|
50 |
CVE-2016-9913 |
401 |
|
DoS |
2016-12-29 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. |
