CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Qemu : Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-17963 190 DoS 2018-10-09 2018-12-01
7.5
None Remote Low Not required Partial Partial Partial
qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
2 CVE-2018-11806 119 Overflow 2018-06-13 2018-11-27
7.2
None Local Low Not required Complete Complete Complete
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
3 CVE-2017-16845 125 2017-11-17 2018-09-07
7.5
None Remote Low Not required Partial Partial Partial
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
4 CVE-2017-15124 20 2018-01-09 2018-10-31
7.8
None Remote Low Not required None None Complete
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
5 CVE-2017-15118 787 Overflow 2018-07-27 2018-09-24
7.5
None Remote Low Not required Partial Partial Partial
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
6 CVE-2017-14167 787 Exec Code Overflow 2017-09-08 2018-09-07
7.2
None Local Low Not required Complete Complete Complete
Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.
7 CVE-2017-8380 119 Overflow 2017-08-28 2017-09-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.
8 CVE-2017-8309 399 DoS 2017-05-23 2018-09-07
7.8
None Remote Low Not required None None Complete
Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
9 CVE-2017-7471 284 2018-07-09 2018-09-06
7.7
None Local Network Low Single system Complete Complete Complete
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
10 CVE-2017-5931 190 DoS Exec Code Overflow 2017-03-27 2017-06-30
7.2
None Local Low Not required Complete Complete Complete
Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.
11 CVE-2016-6351 787 DoS Exec Code 2016-09-07 2018-12-01
7.2
None Local Low Not required Complete Complete Complete
The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.
12 CVE-2016-3710 284 Exec Code 2016-05-11 2018-01-04
7.2
None Local Low Not required Complete Complete Complete
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
13 CVE-2015-5279 119 DoS Exec Code Overflow 2015-09-28 2017-12-27
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
14 CVE-2015-5225 119 DoS Exec Code Overflow Mem. Corr. 2015-11-06 2017-11-03
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.
15 CVE-2015-5154 119 Exec Code Overflow 2015-08-12 2018-10-30
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.
16 CVE-2015-4106 284 DoS +Priv +Info 2015-06-03 2017-11-14
7.2
None Local Low Not required Complete Complete Complete
QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.
17 CVE-2015-3456 119 DoS Exec Code Overflow 2015-05-13 2018-10-30
7.7
None Local Network Low Single system Complete Complete Complete
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
18 CVE-2015-3209 119 Exec Code Overflow 2015-06-15 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
19 CVE-2015-1779 399 DoS 2016-01-12 2017-06-30
7.8
None Remote Low Not required None None Complete
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
20 CVE-2014-7840 20 Exec Code 2014-12-12 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
21 CVE-2014-3689 264 +Priv 2014-11-14 2014-11-14
7.2
None Local Low Not required Complete Complete Complete
The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
22 CVE-2014-2894 189 Exec Code Mem. Corr. 2014-04-23 2017-12-28
7.2
None Local Low Not required Complete Complete Complete
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
23 CVE-2014-0222 189 DoS Overflow 2014-11-04 2017-11-03
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.
24 CVE-2014-0182 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.
25 CVE-2013-6399 94 Exec Code 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
26 CVE-2013-4542 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.
27 CVE-2013-4541 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.
28 CVE-2013-4540 119 Exec Code Overflow 2014-11-04 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.
29 CVE-2013-4539 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.
30 CVE-2013-4538 119 DoS Exec Code Overflow Mem. Corr. 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.
31 CVE-2013-4537 94 Exec Code 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.
32 CVE-2013-4534 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.
33 CVE-2013-4533 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.
34 CVE-2013-4531 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.
35 CVE-2013-4530 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.
36 CVE-2013-4529 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.
37 CVE-2013-4527 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.
38 CVE-2013-4526 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.
39 CVE-2013-4151 94 Exec Code 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.
40 CVE-2013-4150 119 DoS Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write.
41 CVE-2013-4149 119 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table.
42 CVE-2013-4148 189 Exec Code Overflow 2014-11-04 2014-11-05
7.5
None Remote Low Not required Partial Partial Partial
Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow.
43 CVE-2012-3515 20 +Priv 2012-11-23 2017-06-30
7.2
None Local Low Not required Complete Complete Complete
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."
44 CVE-2011-2212 119 DoS Overflow +Priv 2012-06-21 2016-12-07
7.4
None Local Network Medium Single system Complete Complete Complete
Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests."
45 CVE-2011-1751 20 DoS Exec Code 2012-06-21 2016-12-07
7.4
None Local Network Medium Single system Complete Complete Complete
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."
46 CVE-2011-1750 119 DoS Overflow +Priv 2012-06-21 2017-08-16
7.4
None Local Network Medium Single system Complete Complete Complete
Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.
47 CVE-2010-0297 119 DoS Exec Code Overflow 2010-02-12 2017-09-18
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.
48 CVE-2008-5714 189 2008-12-24 2017-08-07
7.8
None Remote Low Not required Complete None None
Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.
49 CVE-2008-4553 59 2008-10-15 2017-08-07
7.2
Admin Local Low Not required Complete Complete Complete
qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories.
50 CVE-2008-4539 119 Overflow +Priv 2008-12-29 2017-08-07
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.
Total number of vulnerabilities : 51   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.