CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3255 – Qemu: vnc: infinite loop in inflate_buffer() leads to denial of service
https://notcve.org/view.php?id=CVE-2023-3255
13 Sep 2023 — A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. Se encontró una falla en el servidor VNC integrado de QEMU al procesar mensajes ClientCutText. Una condición de salida incorrecta puede provocar un bucle inf... • https://access.redhat.com/errata/RHSA-2024:2135 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3301 – Triggerable assertion due to race condition in hot-unplug
https://notcve.org/view.php?id=CVE-2023-3301
13 Sep 2023 — A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. Se encontró una falla en QEMU. La naturaleza asíncrona de la desconexión en caliente permite un escenario de ejecución en el que el backend del dispositivo de red se borra antes de que se haya desconectado el frontend pci de virtio-net.... • https://access.redhat.com/security/cve/CVE-2023-3301 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-617: Reachable Assertion •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42467 – QEMU: am53c974: denial of service due to division by zero
https://notcve.org/view.php?id=CVE-2023-42467
11 Sep 2023 — QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. QEMU hasta 8.0.0 podría desencadenar una división por cero en scsi_disk_reset en hw/scsi/scsi-disk.c porque scsi_disk_emulate_mode_select no impide que s->qdev.blocksize sea 256. Esto detiene QEMU y el invitado inmediatamente. A denial of service vulnerability was found in the qemu ... • https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c • CWE-369: Divide By Zero •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24165 – Ubuntu Security Notice USN-6567-2
https://notcve.org/view.php?id=CVE-2020-24165
28 Aug 2023 — An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS ... • https://bugs.launchpad.net/qemu/+bug/1863025 •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2022-36648
https://notcve.org/view.php?id=CVE-2022-36648
22 Aug 2023 — The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. La emulación de hardware en el of_dpa_cmd_add_l2_flood del modelo de dispositivo rocker en QEMU, tal y... • https://lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40360 – Ubuntu Security Notice USN-6567-2
https://notcve.org/view.php?id=CVE-2023-40360
14 Aug 2023 — QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled. QEMU hasta 8.0.4 accede a un puntero NULL en nvme_directive_receive en hw/nvme/ctrl.c porque no se verifica si un grupo de resistencia está configurado antes de verificar si la Ubicación Flexible de Datos está habilitada. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the ... • https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98 • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-4135 – Out-of-bounds read information disclosure vulnerability
https://notcve.org/view.php?id=CVE-2023-4135
04 Aug 2023 — A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed. Se encontró una falla de lectura de memoria fuera de los límites en el dispositivo nvme virtual en QEMU. El proceso QEMU no valida un desplazamiento proporcionado por el invitado antes de calcular un p... • https://access.redhat.com/security/cve/CVE-2023-4135 • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-3180 – Heap buffer overflow in virtio_crypto_sym_op_helper()
https://notcve.org/view.php?id=CVE-2023-3180
03 Aug 2023 — A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service... • https://access.redhat.com/security/cve/CVE-2023-3180 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1386 – Qemu: 9pfs: suid/sgid bits not dropped on file write
https://notcve.org/view.php?id=CVE-2023-1386
24 Jul 2023 — A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. • https://access.redhat.com/security/cve/CVE-2023-1386 • CWE-281: Improper Preservation of Permissions •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3019 – Qemu: e1000e: heap use-after-free in e1000e_write_packet_to_guest()
https://notcve.org/view.php?id=CVE-2023-3019
24 Jul 2023 — A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service, null pointer, and use-after-free vulnerabilities. • https://access.redhat.com/errata/RHSA-2024:0135 • CWE-416: Use After Free •