Vulnerabilities (CVE)

Filtered by vendor Qemu Subscribe
Filtered by product Qemu
Total 413 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-4172 2 Fedoraproject, Qemu 2 Fedora, Qemu 2024-11-21 N/A 6.5 MEDIUM
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
CVE-2022-4144 3 Fedoraproject, Qemu, Redhat 4 Extra Packages For Enterprise Linux, Fedora, Qemu and 1 more 2024-11-21 N/A 6.5 MEDIUM
An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
CVE-2022-3872 1 Qemu 1 Qemu 2024-11-21 N/A 8.6 HIGH
An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2022-3165 2 Fedoraproject, Qemu 2 Fedora, Qemu 2024-11-21 N/A 6.5 MEDIUM
An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
CVE-2022-36648 1 Qemu 1 Qemu 2024-11-21 N/A 10.0 CRITICAL
The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.
CVE-2022-35414 2 Debian, Qemu 2 Debian Linux, Qemu 2024-11-21 6.1 MEDIUM 8.8 HIGH
softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time.
CVE-2022-2962 1 Qemu 1 Qemu 2024-11-21 N/A 7.8 HIGH
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2022-26354 2 Debian, Qemu 2 Debian Linux, Qemu 2024-11-21 2.1 LOW 3.2 LOW
A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.
CVE-2022-26353 2 Debian, Qemu 2 Debian Linux, Qemu 2024-11-21 5.0 MEDIUM 7.5 HIGH
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
CVE-2022-1050 1 Qemu 1 Qemu 2024-11-21 4.6 MEDIUM 8.8 HIGH
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2022-0358 2 Qemu, Redhat 2 Qemu, Enterprise Linux 2024-11-21 N/A 7.8 HIGH
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
CVE-2022-0216 2 Fedoraproject, Qemu 2 Fedora, Qemu 2024-11-21 N/A 4.4 MEDIUM
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
CVE-2021-4207 3 Debian, Qemu, Redhat 3 Debian Linux, Qemu, Enterprise Linux 2024-11-21 4.6 MEDIUM 8.2 HIGH
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
CVE-2021-4206 3 Debian, Qemu, Redhat 3 Debian Linux, Qemu, Enterprise Linux 2024-11-21 4.6 MEDIUM 8.2 HIGH
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
CVE-2021-4158 2 Qemu, Redhat 2 Qemu, Enterprise Linux 2024-11-21 N/A 6.0 MEDIUM
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2021-4145 2 Qemu, Redhat 2 Qemu, Enterprise Linux 2024-11-21 4.9 MEDIUM 6.5 MEDIUM
A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.
CVE-2021-3947 1 Qemu 1 Qemu 2024-11-21 2.1 LOW 5.5 MEDIUM
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
CVE-2021-3930 3 Debian, Qemu, Redhat 10 Debian Linux, Qemu, Codeready Linux Builder and 7 more 2024-11-21 2.1 LOW 6.5 MEDIUM
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
CVE-2021-3929 2 Fedoraproject, Qemu 2 Fedora, Qemu 2024-11-21 N/A 8.2 HIGH
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
CVE-2021-3750 2 Qemu, Redhat 2 Qemu, Enterprise Linux 2024-11-21 4.6 MEDIUM 8.2 HIGH
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.