CVE-2018-16847
Ubuntu Security Notice USN-3826-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.
Se ha encontrado un problema de acceso fuera de límites al búfer de memoria dinámica (heap) r/w en la emulación NVM Express Controller en QEMU. Podría ocurrir en las rutinas nvme_cmb_ops en el dispositivo nvme. Un proceso/usuario invitado podría emplear este error para provocar el cierre inesperado del proceso QEMU, lo que resulta en una denegación de servicio (DoS) o en la potencial ejecución de código arbitrario con los privilegios del proceso QEMU.
Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. It was discovered that QEMU incorrectly handled the Slirp networking back-end. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-09-11 CVE Reserved
- 2018-11-02 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/105866 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16847 | 2020-05-14 | |
| https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html | 2020-05-14 | |
| https://www.openwall.com/lists/oss-security/2018/11/02/1 | 2020-05-14 |
| URL | Date | SRC |
|---|---|---|
| https://usn.ubuntu.com/3826-1 | 2020-05-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | <= 3.0.0 Search vendor "Qemu" for product "Qemu" and version " <= 3.0.0" | - |
Affected
| ||||||
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | 3.1.0 Search vendor "Qemu" for product "Qemu" and version "3.1.0" | rc0 |
Affected
| ||||||
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | 3.1.0 Search vendor "Qemu" for product "Qemu" and version "3.1.0" | rc1 |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||