| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-15890 |
416 |
|
|
2019-09-06 |
2019-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. |
|
2 |
CVE-2019-12247 |
190 |
|
Overflow |
2019-05-22 |
2019-05-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable. |
|
3 |
CVE-2019-12155 |
476 |
|
|
2019-05-24 |
2019-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. |
|
4 |
CVE-2019-12068 |
835 |
|
Exec Code |
2019-09-24 |
2019-09-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. |
|
5 |
CVE-2019-5008 |
476 |
|
DoS |
2019-04-19 |
2019-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. |
|
6 |
CVE-2018-20216 |
252 |
|
|
2018-12-20 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). |
|
7 |
CVE-2018-20191 |
476 |
|
DoS |
2018-12-20 |
2019-04-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). |
|
8 |
CVE-2018-20125 |
476 |
|
DoS |
2018-12-20 |
2019-01-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. |
|
9 |
CVE-2018-17962 |
119 |
|
Overflow |
2018-10-09 |
2019-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. |
|
10 |
CVE-2018-17958 |
190 |
|
Overflow |
2018-10-09 |
2019-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. |
|
11 |
CVE-2018-12617 |
190 |
|
Overflow |
2018-06-21 |
2019-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. |
|
12 |
CVE-2017-15268 |
772 |
|
|
2017-10-12 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. |
|
13 |
CVE-2017-15119 |
400 |
|
DoS |
2018-07-27 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. |
|
14 |
CVE-2017-13711 |
416 |
|
DoS |
2017-09-01 |
2018-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. |
|
15 |
CVE-2017-10664 |
|
|
DoS |
2017-08-02 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. |
|
16 |
CVE-2017-9524 |
20 |
|
DoS |
2017-07-06 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function. |
|
17 |
CVE-2017-7539 |
20 |
|
DoS |
2018-07-26 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service. |
|
18 |
CVE-2017-6058 |
125 |
|
DoS Overflow |
2017-03-20 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. |
|
19 |
CVE-2015-8619 |
787 |
|
DoS |
2017-04-13 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). |
|
20 |
CVE-2015-7295 |
119 |
|
DoS Overflow |
2015-11-09 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. |
|
21 |
CVE-2014-7815 |
264 |
|
DoS |
2014-11-14 |
2017-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. |
|
22 |
CVE-2008-2382 |
399 |
|
DoS |
2008-12-24 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. |
