CVE-2015-5261
spice: host memory access from guest using crafted images
Severity Score
Exploit Likelihood
Affected Versions
16Public Exploits
0Exploited in Wild
-Decision
Descriptions
Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to read and write to arbitrary memory locations on the host via guest QXL commands related to surface creation.
Desbordamiento de buffer basado en memoria dinámica en SPICE en versiones anteriores a 0.12.6 permite a usuarios invitados del SO leer y escribir en localizaciones de memoria arbitrarias en el anfitrión a través de comandos QXL de invitado relacionados con la creación de superficie.
A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-07-01 CVE Reserved
- 2015-10-07 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://lists.freedesktop.org/archives/spice-devel/2015-October/02... | Mailing List | |
| http://www.openwall.com/lists/oss-security/2015/10/06/4 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoc... | X_refsource_confirm |
|
| http://www.securitytracker.com/id/1033753 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2015-1889.html | 2017-09-16 | |
| http://rhn.redhat.com/errata/RHSA-2015-1890.html | 2017-09-16 | |
| http://www.debian.org/security/2015/dsa-3371 | 2017-09-16 | |
| http://www.ubuntu.com/usn/USN-2766-1 | 2017-09-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1261889 | 2015-10-12 | |
| https://security.gentoo.org/glsa/201606-05 | 2017-09-16 | |
| https://access.redhat.com/security/cve/CVE-2015-5261 | 2015-10-12 |