# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-26353 |
772 |
|
Exec Code |
2022-03-16 |
2023-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage, use-after-free or other unexpected results. A malicious privileged guest could exploit this issue to crash QEMU or potentially execute arbitrary code within the context of the QEMU process on the host. |
2 |
CVE-2020-7211 |
22 |
|
Dir. Trav. |
2020-01-21 |
2020-01-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. |
3 |
CVE-2019-20175 |
754 |
|
|
2019-12-31 |
2020-01-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert." |
4 |
CVE-2019-15890 |
416 |
|
|
2019-09-06 |
2019-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. |
5 |
CVE-2019-12247 |
190 |
|
Overflow |
2019-05-22 |
2019-05-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable. |
6 |
CVE-2019-12155 |
476 |
|
|
2019-05-24 |
2020-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. |
7 |
CVE-2019-5008 |
476 |
|
DoS |
2019-04-19 |
2019-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. |
8 |
CVE-2018-20216 |
252 |
|
|
2018-12-20 |
2020-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). |
9 |
CVE-2018-20191 |
476 |
|
DoS |
2018-12-20 |
2020-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). |
10 |
CVE-2018-20125 |
476 |
|
DoS |
2018-12-20 |
2020-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. |
11 |
CVE-2018-17962 |
119 |
|
Overflow |
2018-10-09 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. |
12 |
CVE-2018-17958 |
190 |
|
Overflow |
2018-10-09 |
2020-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. |
13 |
CVE-2018-12617 |
190 |
|
Overflow |
2018-06-21 |
2020-11-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. |
14 |
CVE-2017-15268 |
772 |
|
|
2017-10-12 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. |
15 |
CVE-2017-15119 |
400 |
|
DoS |
2018-07-27 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. |
16 |
CVE-2017-13711 |
416 |
|
DoS |
2017-09-01 |
2020-10-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. |
17 |
CVE-2017-10664 |
|
|
DoS |
2017-08-02 |
2021-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. |
18 |
CVE-2017-9524 |
20 |
|
DoS |
2017-07-06 |
2020-10-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function. |
19 |
CVE-2017-7539 |
20 |
|
DoS |
2018-07-26 |
2023-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
An assertion-failure flaw was found in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service. |
20 |
CVE-2017-6058 |
120 |
|
DoS Overflow |
2017-03-20 |
2020-11-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. |
21 |
CVE-2015-8619 |
787 |
|
DoS |
2017-04-13 |
2020-12-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). |
22 |
CVE-2015-7295 |
119 |
|
DoS Overflow |
2015-11-09 |
2020-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. |
23 |
CVE-2015-6855 |
369 |
|
DoS |
2015-11-06 |
2021-12-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash. |
24 |
CVE-2014-7815 |
20 |
|
DoS |
2014-11-14 |
2020-08-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. |
25 |
CVE-2008-2382 |
399 |
|
DoS |
2008-12-24 |
2020-11-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. |