IDCVSSSummaryLast (major) updatePublished
CVE-2016-3710 7.2
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Port
05-01-2018 - 02:30 11-05-2016 - 21:59
CVE-2016-3712 2.1
Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. CWE-190: Integer Overflow or Wraparound
05-01-2018 - 02:30 11-05-2016 - 21:59
CVE-2016-9381 6.9
Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.
01-07-2017 - 01:30 23-01-2017 - 21:59
CVE-2016-9603 9.0
A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged
07-09-2018 - 10:29 27-07-2018 - 21:29
CVE-2017-2615 9.0
Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to
07-09-2018 - 10:29 03-07-2018 - 01:29
CVE-2017-2620 9.0
Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use t
07-09-2018 - 10:29 27-07-2018 - 19:29
CVE-2015-3209 7.5
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
05-01-2018 - 02:30 15-06-2015 - 15:59
CVE-2008-2382 5.0
The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.
11-10-2018 - 20:41 24-12-2008 - 18:29
CVE-2008-4539 7.2
Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap over
08-08-2017 - 01:32 29-12-2008 - 15:24
CVE-2010-0741 7.8
The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS
19-09-2017 - 01:30 12-04-2010 - 18:30
CVE-2019-15890 5.0
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.
20-09-2019 - 11:15 06-09-2019 - 17:15
CVE-2020-7039 7.5
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute
16-01-2020 - 23:15 16-01-2020 - 23:15
CVE-2020-7211 5.0
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.
21-01-2020 - 18:56 21-01-2020 - 17:15
CVE-2013-2016 6.9
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use
30-12-2019 - 22:15 30-12-2019 - 22:15
CVE-2015-7504 4.6
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.
05-01-2018 - 02:30 16-10-2017 - 20:29
CVE-2015-8701 2.1
QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRA
01-07-2017 - 01:29 29-12-2016 - 22:59
CVE-2015-8743 3.6
QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corru
04-11-2017 - 01:29 29-12-2016 - 22:59
CVE-2015-8744 2.1
QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to c
04-11-2017 - 01:29 29-12-2016 - 22:59
CVE-2015-8745 2.1
QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the
04-11-2017 - 01:29 29-12-2016 - 22:59
CVE-2015-8818 2.1
The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.
05-01-2018 - 02:30 29-12-2016 - 22:59
CVE-2016-10028 2.1
The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GP
01-07-2017 - 01:29 27-02-2017 - 22:59
CVE-2016-10029 2.1
The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SC
28-02-2017 - 15:38 27-02-2017 - 22:59
CVE-2016-10155 4.9
Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
07-09-2018 - 10:29 15-03-2017 - 15:59
CVE-2016-1922 2.1
QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, whic
04-11-2017 - 01:29 29-12-2016 - 22:59
CVE-2016-1981 2.1
QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is
05-01-2018 - 02:30 29-12-2016 - 22:59
CVE-2016-2197 2.1
QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest
01-07-2017 - 01:29 29-12-2016 - 22:59
CVE-2016-2198 2.1
QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this f
07-09-2018 - 10:29 29-12-2016 - 22:59
CVE-2016-7161 10.0
Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.
01-12-2018 - 11:29 05-10-2016 - 16:59
CVE-2016-7907 2.1
The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU
01-07-2017 - 01:30 05-10-2016 - 16:59
CVE-2016-7908 2.1
The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU
01-12-2018 - 11:29 05-10-2016 - 16:59
CVE-2016-7909 4.9
The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to
01-12-2018 - 11:29 05-10-2016 - 16:59
CVE-2016-9776 2.1
QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this is
07-09-2018 - 10:29 29-12-2016 - 22:59
CVE-2016-9845 2.1
QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak cont
01-07-2017 - 01:30 29-12-2016 - 22:59
CVE-2016-9846 4.9
QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memo
01-07-2017 - 01:30 29-12-2016 - 22:59
CVE-2016-9913 4.9
Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving
01-07-2017 - 01:30 29-12-2016 - 22:59
CVE-2016-9914 4.9
Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.
07-09-2018 - 10:29 29-12-2016 - 22:59
CVE-2016-9915 4.9
Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle back
07-09-2018 - 10:29 29-12-2016 - 22:59
CVE-2016-9916 4.9
Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backen
07-09-2018 - 10:29 29-12-2016 - 22:59
CVE-2016-9922 2.1
The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors invol
07-09-2018 - 10:29 27-03-2017 - 15:59
CVE-2017-10664 5.0
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.
03-10-2019 - 00:03 02-08-2017 - 19:29
CVE-2017-10806 2.1
Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.
07-09-2018 - 10:29 02-08-2017 - 19:29
CVE-2017-11334 2.1
The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest
16-03-2018 - 01:29 02-08-2017 - 19:29
CVE-2017-11434 2.1
The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.
07-09-2018 - 10:29 25-07-2017 - 18:29
CVE-2017-12809 2.1
QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive.
04-11-2017 - 01:29 23-08-2017 - 16:29
CVE-2017-13672 2.1
QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.
29-03-2019 - 01:29 01-09-2017 - 13:29
CVE-2017-13711 5.0
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets.
13-04-2018 - 01:29 01-09-2017 - 13:29
CVE-2017-14167 7.2
Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write.
07-09-2018 - 10:29 08-09-2017 - 18:29
CVE-2017-15289 2.1
The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.
07-09-2018 - 10:29 16-10-2017 - 18:29
CVE-2017-17381 2.1
The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.
01-06-2018 - 01:29 07-12-2017 - 02:29
CVE-2017-5525 4.9
Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
03-10-2019 - 00:03 15-03-2017 - 15:59
CVE-2017-5526 4.9
Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.
03-10-2019 - 00:03 15-03-2017 - 15:59
CVE-2017-5552 4.9
Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTA
03-10-2019 - 00:03 15-03-2017 - 15:59
CVE-2017-5578 4.9
Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_AT
03-10-2019 - 00:03 15-03-2017 - 15:59
CVE-2017-5579 4.9
Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug ope
03-10-2019 - 00:03 15-03-2017 - 15:59
CVE-2017-5667 2.1
The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vecto
03-10-2019 - 00:03 16-03-2017 - 15:59
CVE-2017-5856 4.9
Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sg
03-10-2019 - 00:03 16-03-2017 - 15:59
CVE-2017-5857 4.9
Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF com
03-10-2019 - 00:03 16-03-2017 - 15:59
CVE-2017-5898 2.1
Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large A
03-10-2019 - 00:03 15-03-2017 - 19:59
CVE-2017-5931 7.2
Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, wh
01-07-2017 - 01:30 27-03-2017 - 15:59
CVE-2017-5973 2.1
The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence.
03-10-2019 - 00:03 27-03-2017 - 15:59
CVE-2017-5987 2.1
The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register du
03-10-2019 - 00:03 20-03-2017 - 16:59
CVE-2017-6058 5.0
Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash)
01-07-2017 - 01:30 20-03-2017 - 16:59
CVE-2017-6505 2.1
The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different
03-10-2019 - 00:03 15-03-2017 - 14:59
CVE-2017-7493 4.6
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest us
03-10-2019 - 00:03 17-05-2017 - 15:29
CVE-2017-7718 2.1
hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and
07-09-2018 - 10:29 20-04-2017 - 17:59
CVE-2017-9060 4.9
Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands.
03-10-2019 - 00:03 01-06-2017 - 16:29
CVE-2017-9310 1.9
QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) o
03-10-2019 - 00:03 08-06-2017 - 16:29
CVE-2017-9330 1.9
QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505.
03-10-2019 - 00:03 08-06-2017 - 16:29
CVE-2017-9373 1.9
Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.
03-10-2019 - 00:03 16-06-2017 - 22:29
CVE-2017-9374 2.1
Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.
03-10-2019 - 00:03 16-06-2017 - 22:29
CVE-2017-9375 1.9
QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.
03-10-2019 - 00:03 16-06-2017 - 22:29
CVE-2017-9503 1.9
QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas co
07-09-2018 - 10:29 16-06-2017 - 22:29
CVE-2017-9524 5.0
The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initi
05-01-2018 - 02:31 06-07-2017 - 16:29
CVE-2018-7858 2.1
Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when up
29-03-2019 - 13:18 12-03-2018 - 21:29
CVE-2015-7549 2.1
The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.
21-11-2017 - 15:31 30-10-2017 - 14:29
CVE-2009-3616 8.5
Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data tr
19-12-2009 - 06:58 23-10-2009 - 18:30
CVE-2010-0297 7.2
Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code
19-09-2017 - 01:30 12-02-2010 - 19:30
CVE-2011-2212 7.4
Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests."
08-12-2016 - 03:02 21-06-2012 - 15:55
CVE-2011-2527 2.1
The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.
29-08-2017 - 01:29 21-06-2012 - 15:55
CVE-2011-3346 4.0
Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command.
01-04-2014 - 14:35 01-04-2014 - 06:35
CVE-2011-4111 6.8
Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC
22-04-2019 - 17:48 26-02-2014 - 15:55
CVE-2012-3515 7.2
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device mode
01-07-2017 - 01:29 23-11-2012 - 20:55
CVE-2012-6075 9.3
Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly ex
19-04-2014 - 04:29 13-02-2013 - 01:55
CVE-2013-4344 6.0
Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.
30-10-2018 - 16:27 04-10-2013 - 17:55
CVE-2013-4526 7.5
Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.
05-11-2014 - 14:57 04-11-2014 - 21:55
CVE-2013-4527 7.5
Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.
05-11-2014 - 14:56 04-11-2014 - 21:55
CVE-2013-4529 7.5
Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.
05-11-2014 - 15:00 04-11-2014 - 21:55
CVE-2013-4530 7.5
Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.
05-11-2014 - 15:03 04-11-2014 - 21:55
CVE-2013-4531 7.5
Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.
05-11-2014 - 15:18 04-11-2014 - 21:55
CVE-2013-4533 7.5
Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.
05-11-2014 - 15:16 04-11-2014 - 21:55
CVE-2013-4534 7.5
Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.
05-11-2014 - 15:15 04-11-2014 - 21:55
CVE-2013-4537 7.5
The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.
05-11-2014 - 15:42 04-11-2014 - 21:55
CVE-2013-4538 7.5
Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) co
05-11-2014 - 15:41 04-11-2014 - 21:55
CVE-2013-4539 7.5
Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a save
05-11-2014 - 15:40 04-11-2014 - 21:55
CVE-2013-4540 7.5
Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.
30-10-2018 - 16:27 04-11-2014 - 21:55
CVE-2013-4541 7.5
The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.
05-11-2014 - 15:36 04-11-2014 - 21:55
CVE-2013-4542 7.5
The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.
05-11-2014 - 15:34 04-11-2014 - 21:55
CVE-2013-4544 4.9
hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these detai
09-05-2014 - 14:07 08-05-2014 - 14:29
CVE-2013-6399 7.5
Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
05-11-2014 - 15:32 04-11-2014 - 21:55
CVE-2014-0143 4.4
Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bo
22-04-2019 - 17:48 10-08-2017 - 15:29
CVE-2014-0145 4.6
Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/q
04-11-2017 - 01:29 10-08-2017 - 15:29
CVE-2014-0146 1.9
The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapsh
04-11-2017 - 01:29 10-08-2017 - 15:29
CVE-2014-0150 4.9
Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.
22-04-2019 - 17:48 18-04-2014 - 14:55
CVE-2014-0182 7.5
Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.
05-11-2014 - 15:28 04-11-2014 - 21:55
CVE-2014-0222 7.5
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.
04-11-2017 - 01:29 04-11-2014 - 21:55
CVE-2014-0223 4.6
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read
04-11-2017 - 01:29 04-11-2014 - 21:55
CVE-2014-2894 7.2
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
29-12-2017 - 02:29 23-04-2014 - 15:55
CVE-2014-3471 2.1
Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.
31-01-2018 - 14:51 12-01-2018 - 17:29
CVE-2014-3615 2.1
The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.
04-11-2017 - 01:29 01-11-2014 - 23:55
CVE-2014-3689 7.2
The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
14-11-2014 - 17:05 14-11-2014 - 15:59
CVE-2014-5388 4.6
Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corr
17-11-2014 - 15:29 15-11-2014 - 21:59
CVE-2014-7815 5.0
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value.
28-12-2017 - 02:29 14-11-2014 - 15:59
CVE-2014-7840 7.5
The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
08-09-2017 - 01:29 12-12-2014 - 15:59
CVE-2014-8106 4.6
Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for
08-09-2017 - 01:29 08-12-2014 - 16:59
CVE-2015-1779 7.8
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
01-07-2017 - 01:29 12-01-2016 - 19:59
CVE-2015-3214 6.9
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an inva
04-11-2017 - 01:29 31-08-2015 - 10:59
CVE-2015-3456 7.7
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_
22-04-2019 - 17:48 13-05-2015 - 18:59
CVE-2015-4037 1.9
The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.
24-12-2016 - 02:59 26-08-2015 - 19:59
CVE-2015-4106 7.2
QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly ha
15-11-2017 - 02:29 03-06-2015 - 20:59
CVE-2015-5154 7.2
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.
30-10-2018 - 16:27 12-08-2015 - 14:59
CVE-2015-5158 4.3
Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descr
14-04-2016 - 13:14 12-04-2016 - 01:59
CVE-2015-5225 7.2
Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via
04-11-2017 - 01:29 06-11-2015 - 21:59
CVE-2015-5279 7.2
Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
28-12-2017 - 02:29 28-09-2015 - 16:59
CVE-2015-6855 10.0
hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_
01-07-2017 - 01:29 06-11-2015 - 21:59
CVE-2015-7295 5.0
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on th
04-11-2017 - 01:29 09-11-2015 - 16:59
CVE-2015-7512 6.8
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.
05-01-2018 - 02:30 08-01-2016 - 21:59
CVE-2015-8345 2.1
The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.
04-11-2017 - 01:29 13-04-2017 - 17:59
CVE-2015-8504 3.5
Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.
04-11-2017 - 01:29 11-04-2017 - 19:59
CVE-2015-8556 10.0
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
27-03-2017 - 19:15 24-03-2017 - 14:59
CVE-2015-8558 4.9
The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.
04-11-2017 - 01:29 23-05-2016 - 19:59
CVE-2015-8567 6.8
Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).
30-10-2018 - 16:27 13-04-2017 - 17:59
CVE-2015-8568 4.7
Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.
04-11-2017 - 01:29 11-04-2017 - 19:59
CVE-2015-8613 1.9
Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INF
04-11-2017 - 01:29 11-04-2017 - 19:59
CVE-2015-8619 5.0
The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).
04-11-2017 - 01:29 13-04-2017 - 17:59
CVE-2015-8666 1.9
Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.
07-09-2018 - 10:29 11-04-2017 - 19:59
CVE-2016-1568 9.3
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ)
04-11-2017 - 01:29 12-04-2016 - 02:00
CVE-2016-1714 6.9
The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-o
04-11-2017 - 01:29 07-04-2016 - 19:59
CVE-2016-2391 2.1
The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.
01-12-2018 - 11:29 16-06-2016 - 18:59
CVE-2016-2538 3.6
Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS
01-12-2018 - 11:29 16-06-2016 - 18:59
CVE-2016-2841 2.1
The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTO
01-12-2018 - 11:29 16-06-2016 - 18:59
CVE-2016-2857 2.1
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
01-12-2018 - 11:29 12-04-2016 - 02:00
CVE-2016-2858 1.9
QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.
01-12-2018 - 11:29 07-04-2016 - 19:59
CVE-2016-4001 4.3
Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large pac
01-12-2018 - 11:29 23-05-2016 - 19:59
CVE-2016-4002 6.8
Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitra
01-12-2018 - 11:29 26-04-2016 - 14:59
CVE-2016-4020 2.1
The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).
01-12-2018 - 11:29 25-05-2016 - 15:59
CVE-2016-4037 4.9
The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CV
01-12-2018 - 11:29 23-05-2016 - 19:59
CVE-2016-4439 4.6
The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU p
01-12-2018 - 11:29 20-05-2016 - 14:59
CVE-2016-4441 2.1
The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via
01-12-2018 - 11:29 20-05-2016 - 14:59
CVE-2016-4453 4.9
The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.
01-12-2018 - 11:29 01-06-2016 - 22:59
CVE-2016-4454 3.6
The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA comma
01-12-2018 - 11:29 01-06-2016 - 22:59
CVE-2016-4952 1.5
QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (
01-12-2018 - 11:29 02-09-2016 - 14:59
CVE-2016-4964 4.9
The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.
01-07-2017 - 01:29 10-12-2016 - 00:59
CVE-2016-5105 1.9
The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involvin
01-12-2018 - 11:29 02-09-2016 - 14:59
CVE-2016-5106 1.5
The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors in
01-12-2018 - 11:29 02-09-2016 - 14:59
CVE-2016-5107 1.5
The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.
01-12-2018 - 11:29 02-09-2016 - 14:59
CVE-2016-5126 4.6
Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.
01-07-2017 - 01:29 01-06-2016 - 22:59
CVE-2016-5238 2.1
The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.
01-12-2018 - 11:29 14-06-2016 - 14:59
CVE-2016-5337 2.1
The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.
01-12-2018 - 11:29 14-06-2016 - 14:59
CVE-2016-5338 4.6
The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information tran
01-12-2018 - 11:29 14-06-2016 - 14:59
CVE-2016-5403 4.9
The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.
05-01-2018 - 02:31 02-08-2016 - 16:59
CVE-2016-6351 7.2
The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execut
01-12-2018 - 11:29 07-09-2016 - 18:59
CVE-2016-6490 2.1
The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.
01-07-2017 - 01:30 10-12-2016 - 00:59
CVE-2016-6833 2.1
Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device i
07-09-2018 - 10:29 10-12-2016 - 00:59
CVE-2016-6834 2.1
The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-6835 2.1
The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.
07-09-2018 - 10:29 10-12-2016 - 00:59
CVE-2016-6836 2.1
The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-6888 2.1
Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an uncheck
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-7116 2.1
Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-7155 2.1
hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-7156 2.1
The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-7157 2.1
The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_
01-07-2017 - 01:30 10-12-2016 - 00:59
CVE-2016-7170 2.1
The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-7421 2.1
The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the
01-12-2018 - 11:29 10-12-2016 - 00:59
CVE-2016-7422 2.1
The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.
05-01-2018 - 02:31 10-12-2016 - 00:59
CVE-2016-7423 2.1
The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vecto
01-07-2017 - 01:30 10-10-2016 - 16:59
CVE-2016-7466 2.1
Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly
05-01-2018 - 02:31 10-12-2016 - 00:59
CVE-2016-7994 2.1
Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CRE
01-07-2017 - 01:30 10-12-2016 - 00:59
CVE-2016-7995 2.1
Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.
07-01-2017 - 03:00 10-12-2016 - 00:59
CVE-2016-8576 1.9
The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request
07-09-2018 - 10:29 04-11-2016 - 21:59
CVE-2016-8577 1.9
Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.
01-12-2018 - 11:29 04-11-2016 - 21:59
CVE-2016-8578 1.9
The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P o
01-12-2018 - 11:29 04-11-2016 - 21:59
CVE-2016-8667 1.9
The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.
07-09-2018 - 10:29 04-11-2016 - 21:59
CVE-2016-8668 1.9
The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.
01-07-2017 - 01:30 04-11-2016 - 21:59
CVE-2016-8669 1.9
The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater th
07-09-2018 - 10:29 04-11-2016 - 21:59
CVE-2016-8909 1.9
The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer posi
01-12-2018 - 11:29 04-11-2016 - 21:59
CVE-2016-8910 1.9
The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count. <a hr
01-12-2018 - 11:29 04-11-2016 - 21:59
CVE-2016-9101 2.1
Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device.
01-12-2018 - 11:29 09-12-2016 - 22:59
CVE-2016-9102 2.1
Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with t
01-12-2018 - 11:29 09-12-2016 - 22:59
CVE-2016-9103 2.1
The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.
01-12-2018 - 11:29 09-12-2016 - 22:59
CVE-2016-9104 2.1
Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which tr
01-12-2018 - 11:29 09-12-2016 - 22:59
CVE-2016-9105 2.1
Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.
01-12-2018 - 11:29 09-12-2016 - 22:59
CVE-2016-9106 2.1
Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.
01-12-2018 - 11:29 09-12-2016 - 22:59
CVE-2016-9602 9.0
Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a ho
09-10-2019 - 23:20 26-04-2018 - 19:29
CVE-2016-9907 2.1
Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memo
07-09-2018 - 10:29 23-12-2016 - 22:59
CVE-2016-9908 2.1
Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of t
01-07-2017 - 01:30 23-12-2016 - 22:59
CVE-2016-9911 2.1
Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in
07-09-2018 - 10:29 23-12-2016 - 22:59
CVE-2016-9912 2.1
Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak ho
01-07-2017 - 01:30 23-12-2016 - 22:59
CVE-2016-9921 2.1
Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw
07-09-2018 - 10:29 23-12-2016 - 22:59
CVE-2016-9923 2.1
Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host
01-07-2017 - 01:30 23-12-2016 - 22:59
CVE-2017-15038 1.9
Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes.
07-09-2018 - 10:29 10-10-2017 - 01:30
CVE-2017-15118 7.5
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack
09-10-2019 - 23:24 27-07-2018 - 21:29
CVE-2017-15119 5.0
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client
09-10-2019 - 23:24 27-07-2018 - 16:29
CVE-2017-15124 7.8
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VN
31-10-2018 - 10:29 09-01-2018 - 21:29
CVE-2017-15268 5.0
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.
03-10-2019 - 00:03 12-10-2017 - 15:29
CVE-2017-16845 7.5
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
07-09-2018 - 10:29 17-11-2017 - 20:29
CVE-2017-18030 2.1
The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.
07-09-2018 - 10:29 23-01-2018 - 18:29
CVE-2017-2630 6.5
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could
09-10-2019 - 23:26 27-07-2018 - 18:29
CVE-2017-2633 4.0
An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use t
09-10-2019 - 23:26 27-07-2018 - 19:29
CVE-2017-5957 2.1
Stack-based buffer overflow in the vrend_decode_set_framebuffer_state function in vrend_decode.c in virglrenderer before 926b9b3460a48f6454d8bbe9e44313d86a65447f, as used in Quick Emulator (QEMU), allows a local guest users to cause a denial of servi
19-07-2019 - 12:22 14-03-2017 - 14:59
CVE-2017-7377 2.1
The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid.
03-10-2019 - 00:03 10-04-2017 - 15:59
CVE-2017-7471 7.7
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside gu
03-10-2019 - 00:03 09-07-2018 - 14:29
CVE-2017-7539 5.0
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during
09-10-2019 - 23:29 26-07-2018 - 14:29
CVE-2017-7980 4.6
Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display a
22-04-2019 - 17:48 25-07-2017 - 14:29
CVE-2017-8086 4.9
Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.
03-10-2019 - 00:03 02-05-2017 - 14:59
CVE-2017-8112 4.9
hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.
03-10-2019 - 00:03 02-05-2017 - 14:59
CVE-2017-8284 6.9
** DISPUTED ** The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic
03-10-2019 - 00:03 26-04-2017 - 14:59
CVE-2017-8309 7.8
Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
03-10-2019 - 00:03 23-05-2017 - 04:29
CVE-2017-8379 4.9
Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.
03-10-2019 - 00:03 23-05-2017 - 04:29
CVE-2018-10839 4.0
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to cra
24-09-2019 - 16:15 16-10-2018 - 14:29
CVE-2018-11806 7.2
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
31-05-2019 - 14:29 13-06-2018 - 16:29
CVE-2018-12617 5.0
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. Th
31-05-2019 - 14:29 21-06-2018 - 18:29
CVE-2018-15746 2.1
qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.
09-08-2019 - 04:15 29-08-2018 - 19:29
CVE-2018-16847 4.6
An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially
09-10-2019 - 23:36 02-11-2018 - 22:29
CVE-2018-16867 4.4
A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, thi
09-10-2019 - 23:36 12-12-2018 - 13:29
CVE-2018-16872 3.5
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the t
31-05-2019 - 14:29 13-12-2018 - 21:29
CVE-2018-17958 5.0
Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.
31-05-2019 - 14:29 09-10-2018 - 22:29
CVE-2018-17963 7.5
qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
06-08-2019 - 17:15 09-10-2018 - 22:29
CVE-2018-18438 2.1
Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.
22-04-2019 - 17:48 19-10-2018 - 22:29
CVE-2018-18954 2.1
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.
31-05-2019 - 14:29 15-11-2018 - 20:29
CVE-2018-19364 2.1
hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.
31-05-2019 - 14:29 13-12-2018 - 19:29
CVE-2018-19489 1.9
v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.
31-05-2019 - 14:29 13-12-2018 - 19:29
CVE-2018-19665 2.7
The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.
17-04-2019 - 21:29 06-12-2018 - 23:29
CVE-2018-20123 2.1
pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
03-10-2019 - 00:03 17-12-2018 - 19:29
CVE-2018-20124 2.1
hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.
28-03-2019 - 01:48 20-12-2018 - 23:29
CVE-2018-20125 5.0
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.
28-03-2019 - 02:05 20-12-2018 - 21:29
CVE-2018-20126 2.1
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.
03-10-2019 - 00:03 20-12-2018 - 21:29
CVE-2018-20191 5.0
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
03-04-2019 - 12:48 20-12-2018 - 23:29
CVE-2018-20216 5.0
QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).
03-10-2019 - 00:03 20-12-2018 - 21:29
CVE-2018-5683 2.1
The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
04-03-2019 - 21:25 23-01-2018 - 18:29
CVE-2018-7550 4.6
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or
25-03-2019 - 19:19 01-03-2018 - 17:29
CVE-2019-12928 10.0
** DISPUTED ** The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command
02-07-2019 - 16:15 24-06-2019 - 11:15
CVE-2019-12929 10.0
** DISPUTED ** The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening
02-07-2019 - 16:15 24-06-2019 - 11:15
CVE-2019-8934 2.1
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
17-05-2019 - 12:29 21-03-2019 - 16:01
CVE-2015-5239 4.0
Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.
23-01-2020 - 20:49 23-01-2020 - 20:15
CVE-2015-5278 4.0
The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
23-01-2020 - 20:49 23-01-2020 - 20:15
CVE-2015-5745 4.0
Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
23-01-2020 - 20:49 23-01-2020 - 20:15
CVE-2015-6815 2.7
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecifie
31-01-2020 - 22:15 31-01-2020 - 22:15
CVE-2013-4535 7.2
The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
11-02-2020 - 16:38 11-02-2020 - 16:15
CVE-2020-10761 4.0
An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A r
09-06-2020 - 13:15 09-06-2020 - 13:15
CVE-2008-0928 4.7
Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.
29-09-2017 - 01:30 03-03-2008 - 22:44
CVE-2011-0011 4.3
qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.
17-08-2017 - 01:33 21-06-2012 - 15:55
CVE-2011-1751 7.4
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest c
08-12-2016 - 03:02 21-06-2012 - 15:55
CVE-2011-1750 7.4
Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write
17-08-2017 - 01:34 21-06-2012 - 15:55
CVE-2007-6227 7.2
QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an "overflow," via certain Windows executable programs, as dem
15-10-2018 - 21:51 04-12-2007 - 18:46
CVE-2008-4553 7.2
qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories.
08-08-2017 - 01:32 15-10-2008 - 20:07
CVE-2008-2004 4.9
The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the gue
29-09-2017 - 01:30 12-05-2008 - 22:20
CVE-2008-5714 7.8
Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended.
08-08-2017 - 01:33 24-12-2008 - 18:29
CVE-2013-4148 7.5
Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow.
05-11-2014 - 15:12 04-11-2014 - 21:55
CVE-2013-4151 7.5
The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.
05-11-2014 - 14:28 04-11-2014 - 21:55
CVE-2014-9718 4.9
The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite
23-06-2016 - 18:30 21-04-2015 - 16:59
CVE-2012-2652 4.4
The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file.
06-03-2014 - 04:37 07-08-2012 - 20:55
CVE-2014-0142 2.1
QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function
04-11-2017 - 01:29 10-08-2017 - 15:29
CVE-2013-4532 4.6
Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
02-01-2020 - 16:15 02-01-2020 - 16:15
CVE-2013-4375 2.7
The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.
07-01-2017 - 02:59 19-01-2014 - 18:55
CVE-2013-4149 7.5
Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table.
05-11-2014 - 16:24 04-11-2014 - 21:55
CVE-2013-4377 2.3
Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.
06-03-2014 - 04:47 11-10-2013 - 22:55
CVE-2013-2007 6.9
The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.
29-08-2017 - 01:33 21-05-2013 - 18:55
CVE-2013-4150 7.5
The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_que
05-11-2014 - 16:26 04-11-2014 - 21:55
CVE-2017-18043 2.1
Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).
07-03-2019 - 15:01 31-01-2018 - 20:29
CVE-2014-5263 6.8
vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain p
19-11-2014 - 03:02 26-08-2014 - 14:55
CVE-2015-8817 2.1
QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A
05-01-2018 - 02:30 29-12-2016 - 22:59
CVE-2014-3461 6.8
hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."
05-11-2014 - 18:50 04-11-2014 - 21:55
CVE-2019-12068 2.1
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read ne
26-09-2019 - 16:07 24-09-2019 - 20:15
CVE-2014-3640 2.1
The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized s
04-11-2017 - 01:29 07-11-2014 - 19:55
CVE-2018-17962 5.0
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used.
24-09-2019 - 16:15 09-10-2018 - 22:29
CVE-2019-3812 2.1
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memo
31-05-2019 - 14:29 19-02-2019 - 14:29
CVE-2019-20175 5.0
** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size
31-12-2019 - 04:15 31-12-2019 - 04:15
CVE-2020-1711 6.5
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_s
11-02-2020 - 20:25 11-02-2020 - 20:15
CVE-2016-2392 2.1
The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer de
01-12-2018 - 11:29 16-06-2016 - 18:59
CVE-2017-13673 4.0
The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function.
03-10-2019 - 00:03 29-08-2017 - 16:29
CVE-2017-8380 7.5
Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors.
06-09-2017 - 02:06 28-08-2017 - 15:29
CVE-2018-18849 2.1
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.
31-05-2019 - 14:29 21-03-2019 - 16:00
CVE-2019-12247 5.0
** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable.
30-05-2019 - 15:29 22-05-2019 - 15:29
CVE-2019-6778 4.6
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.
31-05-2019 - 14:29 21-03-2019 - 16:01
CVE-2019-9824 2.1
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
02-07-2019 - 15:15 03-06-2019 - 21:29
CVE-2018-20815 7.5
In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.
02-07-2019 - 23:15 31-05-2019 - 22:29
CVE-2019-5008 5.0
hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.
14-05-2019 - 20:29 19-04-2019 - 19:29
CVE-2019-6501 2.1
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
06-08-2019 - 17:15 21-03-2019 - 16:01
CVE-2019-12155 5.0
interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference.
31-05-2019 - 14:29 24-05-2019 - 16:29
CVE-2019-13164 4.6
qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
26-08-2019 - 08:15 03-07-2019 - 14:15
CVE-2019-15034 4.4
hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.
10-03-2020 - 18:17 10-03-2020 - 18:15
CVE-2020-10702 2.1
A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be
04-06-2020 - 18:30 04-06-2020 - 18:15
CVE-2020-11869 2.1
An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A mal
27-04-2020 - 19:16 27-04-2020 - 19:15
CVE-2019-20382 2.7
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
05-03-2020 - 19:15 05-03-2020 - 19:15
CVE-2020-13765 6.8
rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
04-06-2020 - 16:33 04-06-2020 - 16:15
CVE-2020-11102 6.8
hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.
06-04-2020 - 17:00 06-04-2020 - 16:15
CVE-2020-13253 2.1
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
27-05-2020 - 15:24 27-05-2020 - 15:15
CVE-2020-13361 3.3
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
28-05-2020 - 14:16 28-05-2020 - 14:15
CVE-2020-13362 2.1
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
28-05-2020 - 15:30 28-05-2020 - 15:15
CVE-2020-13659 1.9
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
02-06-2020 - 13:39 02-06-2020 - 13:15
CVE-2020-13754 4.6
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.
02-06-2020 - 15:04 02-06-2020 - 14:15
CVE-2020-13791 2.1
hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.
04-06-2020 - 16:33 04-06-2020 - 16:15
CVE-2020-13800 4.9
ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.
04-06-2020 - 16:33 04-06-2020 - 16:15
CVE-2020-10717 2.1
A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maxim
04-05-2020 - 21:19 04-05-2020 - 21:15
Back to Top Mark selected
Back to Top