| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-20191 |
476 |
|
DoS |
2018-12-20 |
2019-01-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). |
|
2 |
CVE-2018-20125 |
476 |
|
DoS |
2018-12-20 |
2019-01-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. |
|
3 |
CVE-2018-17962 |
119 |
|
Overflow |
2018-10-09 |
2018-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. |
|
4 |
CVE-2018-17958 |
190 |
|
Overflow |
2018-10-09 |
2018-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. |
|
5 |
CVE-2018-12617 |
190 |
|
Overflow |
2018-06-21 |
2018-11-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. |
|
6 |
CVE-2017-15268 |
399 |
|
|
2017-10-12 |
2018-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. |
|
7 |
CVE-2017-15119 |
400 |
|
DoS |
2018-07-27 |
2018-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. |
|
8 |
CVE-2017-13711 |
416 |
|
DoS |
2017-09-01 |
2018-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. |
|
9 |
CVE-2017-10664 |
19 |
|
DoS |
2017-08-02 |
2018-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. |
|
10 |
CVE-2017-9524 |
20 |
|
DoS |
2017-07-06 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function. |
|
11 |
CVE-2017-7539 |
20 |
|
DoS |
2018-07-26 |
2018-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service. |
|
12 |
CVE-2017-6058 |
125 |
|
DoS Overflow |
2017-03-20 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. |
|
13 |
CVE-2015-8619 |
787 |
|
DoS |
2017-04-13 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). |
|
14 |
CVE-2015-7295 |
119 |
|
DoS Overflow |
2015-11-09 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. |
|
15 |
CVE-2014-7815 |
264 |
|
DoS |
2014-11-14 |
2017-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. |
|
16 |
CVE-2008-2382 |
399 |
|
DoS |
2008-12-24 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. |
