Qemu : Security Vulnerabilities, CVEs, Published In 2020
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
Max CVSS
5.5
EPSS Score
0.05%
Published
2020-12-04
Updated
2022-09-30
A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
Max CVSS
6.0
EPSS Score
0.04%
Published
2020-12-08
Updated
2022-09-30
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
Max CVSS
6.5
EPSS Score
0.20%
Published
2020-11-06
Updated
2022-09-23
ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.
Max CVSS
6.5
EPSS Score
0.09%
Published
2020-11-06
Updated
2022-01-01
hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
Max CVSS
3.2
EPSS Score
0.05%
Published
2020-10-06
Updated
2020-10-07
pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
Max CVSS
3.2
EPSS Score
0.05%
Published
2020-10-06
Updated
2020-10-07
fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
Max CVSS
3.2
EPSS Score
0.05%
Published
2020-10-02
Updated
2020-10-14
A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
Max CVSS
3.2
EPSS Score
0.05%
Published
2020-12-02
Updated
2022-09-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
Max CVSS
5.3
EPSS Score
0.05%
Published
2020-09-25
Updated
2022-09-23
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
Max CVSS
5.0
EPSS Score
0.05%
Published
2020-11-30
Updated
2022-09-23
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
Max CVSS
5.0
EPSS Score
0.06%
Published
2020-09-25
Updated
2022-09-23
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
Max CVSS
3.2
EPSS Score
0.05%
Published
2020-09-25
Updated
2022-09-23
An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
Max CVSS
5.5
EPSS Score
0.04%
Published
2020-10-16
Updated
2021-07-21
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
Max CVSS
3.8
EPSS Score
0.05%
Published
2020-08-11
Updated
2022-09-30
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
Max CVSS
5.3
EPSS Score
0.05%
Published
2020-07-28
Updated
2022-09-30
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
Max CVSS
3.3
EPSS Score
0.05%
Published
2020-07-21
Updated
2022-09-23
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
Max CVSS
2.3
EPSS Score
0.05%
Published
2020-07-02
Updated
2022-09-23
oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.
Max CVSS
3.3
EPSS Score
0.04%
Published
2020-08-27
Updated
2020-09-02
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Max CVSS
5.0
EPSS Score
0.05%
Published
2020-08-31
Updated
2022-11-16
ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.
Max CVSS
6.0
EPSS Score
0.05%
Published
2020-06-04
Updated
2022-04-28
hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.
Max CVSS
5.5
EPSS Score
0.04%
Published
2020-06-04
Updated
2020-12-14
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
Max CVSS
6.8
EPSS Score
0.34%
Published
2020-06-04
Updated
2022-10-07
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.
Max CVSS
6.7
EPSS Score
0.05%
Published
2020-06-02
Updated
2020-12-14
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
Max CVSS
2.5
EPSS Score
0.05%
Published
2020-06-02
Updated
2022-11-16
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
Max CVSS
3.2
EPSS Score
0.05%
Published
2020-05-28
Updated
2022-11-29