| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-16867 |
22 |
|
Exec Code Dir. Trav. |
2018-12-12 |
2019-01-08 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. |
|
2 |
CVE-2018-10839 |
190 |
|
Overflow |
2018-10-16 |
2019-01-17 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. |
|
3 |
CVE-2018-7550 |
125 |
|
Exec Code |
2018-03-01 |
2018-09-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. |
|
4 |
CVE-2017-13673 |
20 |
|
DoS |
2017-08-29 |
2018-04-12 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. |
|
5 |
CVE-2017-9060 |
399 |
|
DoS |
2017-06-01 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands. |
|
6 |
CVE-2017-8379 |
399 |
|
DoS |
2017-05-23 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events. |
|
7 |
CVE-2017-8112 |
400 |
|
DoS |
2017-05-02 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count. |
|
8 |
CVE-2017-8086 |
399 |
|
DoS |
2017-05-02 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable. |
|
9 |
CVE-2017-7980 |
119 |
|
DoS Exec Code Overflow |
2017-07-25 |
2018-09-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. |
|
10 |
CVE-2017-7493 |
284 |
|
|
2017-05-17 |
2018-09-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. |
|
11 |
CVE-2017-5857 |
399 |
|
DoS |
2017-03-16 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. |
|
12 |
CVE-2017-5856 |
399 |
|
DoS |
2017-03-16 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. |
|
13 |
CVE-2017-5579 |
399 |
|
DoS |
2017-03-15 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
14 |
CVE-2017-5578 |
399 |
|
DoS |
2017-03-15 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. |
|
15 |
CVE-2017-5552 |
399 |
|
DoS |
2017-03-15 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. |
|
16 |
CVE-2017-5526 |
399 |
|
DoS |
2017-03-15 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
17 |
CVE-2017-5525 |
399 |
|
DoS |
2017-03-15 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
18 |
CVE-2017-2633 |
125 |
|
|
2018-07-27 |
2018-09-24 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. |
|
19 |
CVE-2016-10155 |
399 |
|
DoS |
2017-03-15 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. |
|
20 |
CVE-2016-9916 |
400 |
|
DoS |
2016-12-29 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. |
|
21 |
CVE-2016-9915 |
400 |
|
DoS |
2016-12-29 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. |
|
22 |
CVE-2016-9914 |
400 |
|
DoS |
2016-12-29 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. |
|
23 |
CVE-2016-9913 |
400 |
|
DoS |
2016-12-29 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. |
|
24 |
CVE-2016-9846 |
119 |
|
Overflow |
2016-12-29 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. |
|
25 |
CVE-2016-7909 |
399 |
|
DoS |
2016-10-05 |
2018-12-01 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0. |
|
26 |
CVE-2016-5403 |
399 |
|
DoS |
2016-08-02 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. |
|
27 |
CVE-2016-5338 |
20 |
|
DoS Exec Code |
2016-06-14 |
2018-12-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. |
|
28 |
CVE-2016-5126 |
119 |
|
DoS Exec Code Overflow |
2016-06-01 |
2017-06-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. |
|
29 |
CVE-2016-4964 |
20 |
|
DoS |
2016-12-09 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. |
|
30 |
CVE-2016-4453 |
399 |
|
DoS |
2016-06-01 |
2018-12-01 |
4.6 |
None |
Local |
Low |
Single system |
None |
None |
Complete |
|
The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. |
|
31 |
CVE-2016-4439 |
119 |
|
DoS Exec Code Overflow |
2016-05-20 |
2018-12-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. |
|
32 |
CVE-2016-4037 |
20 |
|
DoS |
2016-05-23 |
2018-12-01 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. |
|
33 |
CVE-2016-4001 |
20 |
|
DoS Overflow |
2016-05-23 |
2018-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. |
|
34 |
CVE-2015-8568 |
119 |
|
DoS Overflow |
2017-04-11 |
2017-11-03 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. |
|
35 |
CVE-2015-8558 |
20 |
|
DoS |
2016-05-23 |
2017-11-03 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list. |
|
36 |
CVE-2015-7504 |
119 |
|
DoS Exec Code Overflow |
2017-10-16 |
2018-01-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. |
|
37 |
CVE-2015-5158 |
119 |
|
DoS Overflow |
2016-04-11 |
2016-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block. |
|
38 |
CVE-2014-9718 |
399 |
|
DoS |
2015-04-21 |
2016-06-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions. |
|
39 |
CVE-2014-8106 |
119 |
|
Exec Code Overflow |
2014-12-08 |
2017-09-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. |
|
40 |
CVE-2014-5388 |
119 |
|
Overflow Mem. Corr. +Info |
2014-11-15 |
2014-11-17 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption. |
|
41 |
CVE-2014-0223 |
189 |
|
DoS Exec Code Overflow |
2014-11-04 |
2017-11-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. |
|
42 |
CVE-2014-0150 |
189 |
|
Exec Code Overflow |
2014-04-18 |
2017-12-15 |
4.9 |
None |
Local Network |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow. |
|
43 |
CVE-2014-0145 |
119 |
|
DoS Exec Code Overflow |
2017-08-10 |
2017-11-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c). |
|
44 |
CVE-2014-0143 |
190 |
|
DoS Overflow Mem. Corr. |
2017-08-10 |
2017-11-03 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes. |
|
45 |
CVE-2013-4544 |
20 |
|
DoS Exec Code |
2014-05-08 |
2014-05-09 |
4.9 |
None |
Local Network |
Medium |
Single system |
Partial |
Partial |
Partial |
|
hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information. |
|
46 |
CVE-2012-2652 |
|
|
|
2012-08-07 |
2014-03-05 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file. |
|
47 |
CVE-2011-3346 |
119 |
|
DoS Overflow |
2014-04-01 |
2014-04-01 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. |
|
48 |
CVE-2011-0011 |
287 |
|
Bypass |
2012-06-21 |
2017-08-16 |
4.3 |
None |
Local Network |
High |
Not required |
Partial |
Partial |
Partial |
|
qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. |
|
49 |
CVE-2008-2004 |
200 |
|
+Info |
2008-05-12 |
2017-09-28 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. |
|
50 |
CVE-2008-0928 |
264 |
|
|
2008-03-03 |
2017-09-28 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. |
