Vulnerabilities (CVE)

Filtered by vendor Qemu Subscribe
Total 410 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-15034 1 Qemu 1 Qemu 2023-12-10 4.4 MEDIUM 5.8 MEDIUM
hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space.
CVE-2015-6815 7 Arista, Canonical, Fedoraproject and 4 more 11 Eos, Ubuntu Linux, Fedora and 8 more 2023-12-10 2.7 LOW 3.5 LOW
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.
CVE-2015-5278 4 Arista, Canonical, Fedoraproject and 1 more 4 Eos, Ubuntu Linux, Fedora and 1 more 2023-12-10 4.0 MEDIUM 6.5 MEDIUM
The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.
CVE-2020-1711 4 Debian, Opensuse, Qemu and 1 more 5 Debian Linux, Leap, Qemu and 2 more 2023-12-10 6.0 MEDIUM 6.0 MEDIUM
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.
CVE-2020-7211 3 Libslirp Project, Microsoft, Qemu 3 Libslirp, Windows, Qemu 2023-12-10 5.0 MEDIUM 7.5 HIGH
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.
CVE-2015-5239 5 Arista, Canonical, Fedoraproject and 2 more 8 Eos, Ubuntu Linux, Fedora and 5 more 2023-12-10 4.0 MEDIUM 6.5 MEDIUM
Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.
CVE-2019-20382 4 Canonical, Debian, Opensuse and 1 more 4 Ubuntu Linux, Debian Linux, Leap and 1 more 2023-12-10 2.7 LOW 3.5 LOW
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
CVE-2015-5745 3 Arista, Fedoraproject, Qemu 3 Eos, Fedora, Qemu 2023-12-10 4.0 MEDIUM 6.5 MEDIUM
Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
CVE-2013-2016 3 Debian, Novell, Qemu 4 Debian Linux, Open Desktop Server, Open Enterprise Server and 1 more 2023-12-10 6.9 MEDIUM 7.8 HIGH
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
CVE-2013-4532 3 Canonical, Debian, Qemu 3 Ubuntu Linux, Debian Linux, Qemu 2023-12-10 4.6 MEDIUM 7.8 HIGH
Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
CVE-2019-12068 4 Canonical, Debian, Opensuse and 1 more 4 Ubuntu Linux, Debian Linux, Leap and 1 more 2023-12-10 2.1 LOW 3.8 LOW
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
CVE-2020-7039 4 Debian, Libslirp Project, Opensuse and 1 more 4 Debian Linux, Libslirp, Leap and 1 more 2023-12-10 6.8 MEDIUM 5.6 MEDIUM
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
CVE-2019-9824 1 Qemu 1 Qemu 2023-12-10 2.1 LOW 5.5 MEDIUM
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
CVE-2018-18849 4 Canonical, Fedoraproject, Opensuse and 1 more 4 Ubuntu Linux, Fedora, Leap and 1 more 2023-12-10 2.1 LOW 5.5 MEDIUM
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.
CVE-2019-6501 2 Fedoraproject, Qemu 2 Fedora, Qemu 2023-12-10 2.1 LOW 5.5 MEDIUM
In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.
CVE-2019-5008 1 Qemu 1 Qemu 2023-12-10 5.0 MEDIUM 7.5 HIGH
hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.
CVE-2018-20815 1 Qemu 1 Qemu 2023-12-10 7.5 HIGH 9.8 CRITICAL
In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.
CVE-2019-15890 2 Libslirp Project, Qemu 2 Libslirp, Qemu 2023-12-10 5.0 MEDIUM 7.5 HIGH
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.
CVE-2019-6778 4 Canonical, Fedoraproject, Opensuse and 1 more 4 Ubuntu Linux, Fedora, Leap and 1 more 2023-12-10 4.6 MEDIUM 7.8 HIGH
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.
CVE-2019-8934 2 Opensuse, Qemu 2 Leap, Qemu 2023-12-10 2.1 LOW 3.3 LOW
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.