CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Qemu : Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-20181 416 2021-05-13 2021-07-20
6.9
None Local Medium Not required Complete Complete Complete
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
2 CVE-2021-3682 763 Exec Code 2021-08-05 2021-10-18
6.0
None Remote Medium ??? Partial Partial Partial
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
3 CVE-2020-13765 787 2020-06-04 2021-01-04
6.8
None Remote Medium Not required Partial Partial Partial
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
4 CVE-2020-11102 787 Overflow 2020-04-06 2020-05-13
6.8
None Remote Medium Not required Partial Partial Partial
hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.
5 CVE-2020-7039 787 Exec Code Overflow 2020-01-16 2021-02-14
6.8
None Remote Medium Not required Partial Partial Partial
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
6 CVE-2020-1711 787 DoS Exec Code 2020-02-11 2021-08-04
6.0
None Remote Medium ??? Partial Partial Partial
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.
7 CVE-2017-16845 20 2017-11-17 2020-09-10
6.4
None Remote Low Not required Partial None Partial
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
8 CVE-2017-8284 94 +Priv 2017-04-26 2019-10-03
6.9
None Local Medium Not required Complete Complete Complete
** DISPUTED ** The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes."
9 CVE-2017-2630 121 Exec Code Overflow 2018-07-27 2021-09-08
6.5
None Remote Low ??? Partial Partial Partial
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
10 CVE-2016-9381 362 +Priv 2017-01-23 2020-10-23
6.9
None Local Medium Not required Complete Complete Complete
Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.
11 CVE-2016-4002 120 DoS Exec Code Overflow Mem. Corr. 2016-04-26 2020-12-14
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.
12 CVE-2016-1714 119 DoS Exec Code Overflow 2016-04-07 2019-12-27
6.9
None Local Medium Not required Complete Complete Complete
The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.
13 CVE-2016-1568 416 DoS Exec Code 2016-04-12 2020-10-15
6.9
None Local Medium Not required Complete Complete Complete
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
14 CVE-2015-8567 401 DoS 2017-04-13 2020-09-09
6.8
None Remote Low ??? None None Complete
Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).
15 CVE-2015-7512 120 DoS Exec Code Overflow 2016-01-08 2020-09-09
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.
16 CVE-2015-3214 119 Exec Code Overflow 2015-08-31 2017-11-04
6.9
None Local Medium Not required Complete Complete Complete
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
17 CVE-2014-5263 119 DoS Overflow +Priv Mem. Corr. 2014-08-26 2014-11-19
6.8
None Remote Medium Not required Partial Partial Partial
vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.
18 CVE-2014-3461 119 Exec Code Overflow 2014-11-04 2014-11-05
6.8
None Remote Medium Not required Partial Partial Partial
hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."
19 CVE-2013-2016 269 2019-12-30 2020-01-17
6.9
None Local Medium Not required Complete Complete Complete
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
20 CVE-2013-2007 264 2013-05-21 2017-08-29
6.9
None Local Medium Not required Complete Complete Complete
The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.
21 CVE-2011-4111 119 DoS Exec Code Overflow 2014-02-26 2019-04-22
6.8
None Local Network High Not required Complete Complete Complete
Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message.
Total number of vulnerabilities : 21   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.