CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Qemu : Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-20263 281 2021-03-09 2021-04-06
2.1
None Local Low Not required None Partial None
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
2 CVE-2021-20255 835 DoS Overflow 2021-03-09 2021-04-11
2.1
None Local Low Not required None None Partial
A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
3 CVE-2021-20221 125 2021-05-13 2021-07-08
2.1
None Local Low Not required None None Partial
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
4 CVE-2021-20203 190 Overflow 2021-02-25 2021-04-11
2.1
None Local Low Not required None None Partial
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
5 CVE-2021-20196 476 DoS 2021-05-26 2021-07-08
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
6 CVE-2021-3545 200 +Info 2021-06-02 2021-10-18
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.
7 CVE-2021-3544 401 2021-06-02 2021-10-18
2.1
None Local Low Not required None None Partial
Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.
8 CVE-2021-3527 770 DoS 2021-05-26 2021-11-15
2.1
None Local Low Not required None None Partial
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
9 CVE-2021-3416 835 Overflow Bypass 2021-03-18 2021-04-11
2.1
None Local Low Not required None None Partial
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.
10 CVE-2021-3392 416 DoS 2021-03-23 2021-04-11
2.1
None Local Low Not required None None Partial
A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.
11 CVE-2020-35505 476 DoS 2021-05-28 2021-07-13
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
12 CVE-2020-35504 476 DoS 2021-05-28 2021-07-13
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
13 CVE-2020-35503 476 DoS 2021-06-02 2021-07-20
2.1
None Local Low Not required None None Partial
A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
14 CVE-2020-28916 835 2020-12-04 2021-02-24
2.1
None Local Low Not required None None Partial
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
15 CVE-2020-27821 787 DoS 2020-12-08 2021-01-15
2.1
None Local Low Not required None None Partial
A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
16 CVE-2020-27661 369 DoS 2021-06-02 2021-07-20
2.1
None Local Low Not required None None Partial
A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
17 CVE-2020-25743 476 2020-10-06 2020-10-07
2.1
None Local Low Not required None None Partial
hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
18 CVE-2020-25742 476 2020-10-06 2020-10-07
2.1
None Local Low Not required None None Partial
pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
19 CVE-2020-25741 476 2020-10-02 2020-10-14
2.1
None Local Low Not required None None Partial
fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
20 CVE-2020-25723 617 DoS 2020-12-02 2020-12-28
2.1
None Local Low Not required None None Partial
A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
21 CVE-2020-25084 416 2020-09-25 2021-02-24
2.1
None Local Low Not required None None Partial
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
22 CVE-2020-24352 119 DoS Overflow 2020-10-16 2021-07-21
2.1
None Local Low Not required None None Partial
An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
23 CVE-2020-16092 617 DoS 2020-08-11 2020-10-13
2.1
None Local Low Not required None None Partial
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
24 CVE-2020-15859 416 2020-07-21 2021-02-24
2.1
None Local Low Not required None None Partial
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
25 CVE-2020-15469 476 2020-07-02 2021-02-24
2.1
None Local Low Not required None None Partial
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
26 CVE-2020-14415 369 2020-08-27 2020-09-02
2.1
None Local Low Not required None None Partial
oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position.
27 CVE-2020-13791 125 2020-06-04 2020-12-14
2.1
None Local Low Not required None None Partial
hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.
28 CVE-2020-13362 125 2020-05-28 2020-11-11
2.1
None Local Low Not required None None Partial
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
29 CVE-2020-13253 125 2020-05-27 2020-12-14
2.1
None Local Low Not required None None Partial
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
30 CVE-2020-12829 190 DoS Overflow 2020-08-31 2020-12-14
2.1
None Local Low Not required None None Partial
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.
31 CVE-2020-11947 125 2020-12-31 2021-02-18
2.1
None Local Low Not required Partial None None
iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.
32 CVE-2020-11869 190 DoS Overflow 2020-04-27 2020-05-28
2.1
None Local Low Not required None None Partial
An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
33 CVE-2020-10717 400 DoS 2020-05-04 2020-11-11
2.1
None Local Low Not required None None Partial
A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host.
34 CVE-2020-10702 Bypass 2020-06-04 2020-07-24
2.1
None Local Low Not required Partial None None
A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.
35 CVE-2019-20808 125 DoS 2020-12-31 2021-03-31
2.1
None Local Low Not required None None Partial
In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
36 CVE-2019-20382 401 2020-03-05 2020-07-26
2.7
None Local Network Low ??? None None Partial
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
37 CVE-2019-12068 835 Exec Code 2019-09-24 2020-07-26
2.1
None Local Low Not required None None Partial
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
38 CVE-2019-12067 476 DoS 2021-06-02 2021-07-30
2.1
None Local Low Not required None None Partial
The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
39 CVE-2019-9824 908 2019-06-03 2020-08-24
2.1
None Local Low Not required Partial None None
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
40 CVE-2019-8934 19 2019-03-21 2021-07-21
2.1
None Local Low Not required Partial None None
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
41 CVE-2019-6501 125 2019-03-21 2019-08-06
2.1
None Local Low Not required None None Partial
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
42 CVE-2019-3812 125 Exec Code 2019-02-19 2019-05-31
2.1
None Local Low Not required Partial None None
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
43 CVE-2018-20126 772 2018-12-20 2020-05-12
2.1
None Local Low Not required None None Partial
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.
44 CVE-2018-20124 125 2018-12-20 2020-05-12
2.1
None Local Low Not required None None Partial
hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.
45 CVE-2018-20123 772 2018-12-17 2020-05-12
2.1
None Local Low Not required None None Partial
pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
46 CVE-2018-19665 190 Mem. Corr. 2018-12-06 2020-12-14
2.7
None Local Network Low ??? None None Partial
The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.
47 CVE-2018-19364 416 2018-12-13 2020-05-12
2.1
None Local Low Not required None None Partial
hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.
48 CVE-2018-18954 125 2018-11-15 2019-05-31
2.1
None Local Low Not required None None Partial
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.
49 CVE-2018-18849 125 2019-03-21 2019-05-31
2.1
None Local Low Not required None None Partial
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.
50 CVE-2018-18438 190 Overflow 2018-10-19 2021-08-04
2.1
None Local Low Not required None None Partial
Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.
Total number of vulnerabilities : 141   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.