CVSS: 9.8EPSS: 4%CPEs: 9EXPL: 0CVE-2016-4002
https://notcve.org/view.php?id=CVE-2016-4002
Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. Desbordamiento de buffer en la función mipsnet_receive en hw/net/mipsnet.c en QEMU, cuando el NIC invitado se configura para aceptar paquetes grandes, permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria y caída de QEMU) o posiblemente ejecutar código arbitrario a través de un paquete de más de 1514 bytes. • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183275.html http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183350.html http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184209.html http://www.openwall.com/lists/oss-security/2016/04/11/6 http://www.openwall.com/lists/oss-security/2016/04/12/7 http://www.securityfocus.com/bid/85992 http://www.ubuntu.com/usn/USN-2974-1 https://bugzilla.redhat.com/show_bug.cgi?id=1326082 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.4EPSS: 0%CPEs: 35EXPL: 0CVE-2016-2857 – Qemu: net: out of bounds read in net_checksum_calculate()
https://notcve.org/view.php?id=CVE-2016-2857
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. La función net_checksum_calculate en net/checksum.c en QEMU permite a usuarios del SO invitado provocar una denegación de servicio (lectura de memoria dinámica fuera de rango y caída) a través de una longitud de la carga útil en un paquete manipulado. An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet's checksum, because a QEMU function used the packet's payload length without checking against the data buffer's size. A user inside a guest could use this flaw to crash the QEMU process (denial of service). • http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=362786f14a753d8a5256ef97d7c10ed576d6572b http://rhn.redhat.com/errata/RHSA-2016-2670.html http://rhn.redhat.com/errata/RHSA-2016-2671.html http://rhn.redhat.com/errata/RHSA-2016-2704.html http://rhn.redhat.com/errata/RHSA-2016-2705.html http://rhn.redhat.com/errata/RHSA-2016-2706.html http://rhn.redhat.com/errata/RHSA-2017-0083.html http://rhn.redhat.com/errata/RHSA-2017-0309.html http://rhn.redhat.com/errata/RHSA- • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2538
https://notcve.org/view.php?id=CVE-2016-2538
Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function. Múltiples vulnerabilidades de desbordamiento de entero en el dispositivo de emulación USB Net (hw/usb/dev-network.c) en QEMU en versiones anteriores a 2.5.1 permite a administradores locales del SO invitado provocar una denegación de servicio (caída del proceso QEMU) u obtener información sensible de la memoria del anfitrión a través de un paquete de mensajes de control remoto de NDIS que no es manjeado correctamente en las funciones (1) rndis_query_response, (2) rndis_set_response o (3) usb_net_handle_dataout. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fe3c546c5ff2a6210f9a4d8561cc64051ca8603e http://lists.nongnu.org/archive/html/qemu-stable/2016-03/msg00064.html http://www.openwall.com/lists/oss-security/2016/02/22/3 http://www.securityfocus.com/bid/83336 http://www.ubuntu.com/usn/USN-2974-1 https://bugzilla.redhat.com/show_bug.cgi?id=1303120 https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.h • CWE-189: Numeric Errors •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2016-2858
https://notcve.org/view.php?id=CVE-2016-2858
QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. QEMU, cuando está construido con el soporte back-end Pseudo Random Number Generator (PRNG), permite a usuarios locales del SO invitado provocar una denegación de servicio (caída del proceso) a través una petición de entropía, lo que desencadena una asignación arbitraria basada en asignación y corrupción de memoria. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 http://www.openwall.com/lists/oss-security/2016/03/04/1 http://www.openwall.com/lists/oss-security/2016/03/07/4 http://www.securityfocus.com/bid/84134 http://www.ubuntu.com/usn/USN-2974-1 https://bugzilla.redhat.com/show_bug.cgi?id=1314676 https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html https://security.gentoo.org/glsa/201604-01 • CWE-331: Insufficient Entropy •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8701
https://notcve.org/view.php?id=CVE-2015-8701
QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue. QEMU (también conocido como Quick Emulator) construido con el soporte de emulación switch Rocker es vulnerable a un error off-by-one. Sucede mientras se procesan los descriptores de transmisión (tx) en rutina 'tx_consume', si un descriptor debía tener más fragmentos (ROCKER_TX_FRAGS_MAX=16) de los permitidos. • http://www.openwall.com/lists/oss-security/2015/12/28/6 http://www.openwall.com/lists/oss-security/2015/12/29/1 http://www.securityfocus.com/bid/79706 https://bugzilla.redhat.com/show_bug.cgi?id=1286971 https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html https://security.gentoo.org/glsa/201602-01 • CWE-193: Off-by-one Error •