CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6693 – Qemu: virtio-net: stack buffer overflow in virtio_net_flush_tx()
https://notcve.org/view.php?id=CVE-2023-6693
02 Jan 2024 — A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. Se encontró un desbordamiento de búfer e... • https://access.redhat.com/errata/RHSA-2024:2962 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2861 – Qemu: 9pfs: improper access control on special files
https://notcve.org/view.php?id=CVE-2023-2861
06 Dec 2023 — A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder. Se encontró una falla en la implementación del sistema de archivos de paso 9p (9pfs) en QEMU. El servidor 9pfs no prohibía la apertura de archivos especiales en el lado del host, lo que potencialmente permitía que un clien... • https://access.redhat.com/security/cve/CVE-2023-2861 • CWE-284: Improper Access Control •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-5088 – Qemu: improper ide controller reset can lead to mbr overwrite
https://notcve.org/view.php?id=CVE-2023-5088
03 Nov 2023 — A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. Un error en QEMU podría causar que una operación de E/S de invitado que de otro modo estaría dirigida a... • https://access.redhat.com/errata/RHSA-2024:2135 • CWE-662: Improper Synchronization CWE-821: Incorrect Synchronization •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3255 – Qemu: vnc: infinite loop in inflate_buffer() leads to denial of service
https://notcve.org/view.php?id=CVE-2023-3255
13 Sep 2023 — A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. Se encontró una falla en el servidor VNC integrado de QEMU al procesar mensajes ClientCutText. Una condición de salida incorrecta puede provocar un bucle inf... • https://access.redhat.com/errata/RHSA-2024:2135 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-3301 – Triggerable assertion due to race condition in hot-unplug
https://notcve.org/view.php?id=CVE-2023-3301
13 Sep 2023 — A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. Se encontró una falla en QEMU. La naturaleza asíncrona de la desconexión en caliente permite un escenario de ejecución en el que el backend del dispositivo de red se borra antes de que se haya desconectado el frontend pci de virtio-net.... • https://access.redhat.com/security/cve/CVE-2023-3301 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-617: Reachable Assertion •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42467 – QEMU: am53c974: denial of service due to division by zero
https://notcve.org/view.php?id=CVE-2023-42467
11 Sep 2023 — QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. QEMU hasta 8.0.0 podría desencadenar una división por cero en scsi_disk_reset en hw/scsi/scsi-disk.c porque scsi_disk_emulate_mode_select no impide que s->qdev.blocksize sea 256. Esto detiene QEMU y el invitado inmediatamente. A denial of service vulnerability was found in the qemu ... • https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c • CWE-369: Divide By Zero •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36648
https://notcve.org/view.php?id=CVE-2022-36648
22 Aug 2023 — The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. La emulación de hardware en el of_dpa_cmd_add_l2_flood del modelo de dispositivo rocker en QEMU, tal y... • https://lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-3180 – Heap buffer overflow in virtio_crypto_sym_op_helper()
https://notcve.org/view.php?id=CVE-2023-3180
03 Aug 2023 — A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service... • https://access.redhat.com/security/cve/CVE-2023-3180 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3019 – Qemu: e1000e: heap use-after-free in e1000e_write_packet_to_guest()
https://notcve.org/view.php?id=CVE-2023-3019
24 Jul 2023 — A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service, null pointer, and use-after-free vulnerabilities. • https://access.redhat.com/errata/RHSA-2024:0135 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-3354 – Improper i/o watch removal in tls handshake can lead to remote unauthenticated denial of service
https://notcve.org/view.php?id=CVE-2023-3354
11 Jul 2023 — A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service. Gaoning Pan and Xingwei Li discovered that QEMU incorr... • https://access.redhat.com/security/cve/CVE-2023-3354 • CWE-476: NULL Pointer Dereference •