A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.05%
Published
2024-04-09
Updated
2024-04-18
This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.04%
Published
2023-09-13
Updated
2023-12-28
softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-07-11
Updated
2024-05-17
An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Source: Red Hat, Inc.
Max CVSS
8.6
EPSS Score
0.08%
Published
2022-11-07
Updated
2023-02-23
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
Source: Red Hat, Inc.
Max CVSS
8.8
EPSS Score
0.04%
Published
2022-03-29
Updated
2023-03-15
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.07%
Published
2022-04-29
Updated
2022-11-29
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.05%
Published
2022-04-29
Updated
2022-09-23
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.07%
Published
2022-08-25
Updated
2022-10-01
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.10%
Published
2022-05-02
Updated
2023-02-12
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
Source: Red Hat, Inc.
Max CVSS
8.5
EPSS Score
0.33%
Published
2021-08-05
Updated
2023-03-31
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.05%
Published
2021-06-02
Updated
2022-10-25
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.
Source: Red Hat, Inc.
Max CVSS
8.2
EPSS Score
0.05%
Published
2021-01-28
Updated
2023-02-12
An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.04%
Published
2023-08-28
Updated
2024-05-17
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
Source: MITRE
Max CVSS
8.2
EPSS Score
0.07%
Published
2018-06-13
Updated
2021-08-04
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.08%
Published
2018-03-01
Updated
2024-01-30
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.
Source: Red Hat, Inc.
Max CVSS
8.6
EPSS Score
1.20%
Published
2018-07-27
Updated
2019-10-09
Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.06%
Published
2017-09-08
Updated
2020-11-16
Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.
Source: Red Hat, Inc.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-03-27
Updated
2023-02-12
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
Source: Red Hat, Inc.
Max CVSS
8.8
EPSS Score
0.17%
Published
2018-07-27
Updated
2021-09-08
Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
Source: Red Hat, Inc.
Max CVSS
8.6
EPSS Score
3.49%
Published
2016-05-23
Updated
2023-02-13
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
Source: Red Hat, Inc.
Max CVSS
8.8
EPSS Score
0.15%
Published
2016-05-11
Updated
2021-08-04
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
Source: Red Hat, Inc.
Max CVSS
8.4
EPSS Score
0.06%
Published
2016-04-12
Updated
2023-02-12
The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.
Source: Red Hat, Inc.
Max CVSS
8.1
EPSS Score
0.61%
Published
2016-04-07
Updated
2023-02-12
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
Source: Red Hat, Inc.
Max CVSS
8.8
EPSS Score
0.07%
Published
2016-04-12
Updated
2023-02-12
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.
Source: Red Hat, Inc.
Max CVSS
8.8
EPSS Score
0.08%
Published
2017-10-16
Updated
2023-02-13
28 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!