CVE-2019-14378

QEMU - Denial of Service

Severity Score

8.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.

La función ip_reass en el archivo ip_input.c en libslirp versión 4.0.0, presenta un desbordamiento de búfer en la región heap de la memoria por medio de un paquete largo debido a que maneja inapropiadamente un caso que involucra el primer fragmento.

A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service or potentially executing arbitrary code with privileges of the QEMU process.

It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. Sergej Schumilo, Cornelius Aschermann and Simon Woerner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a null pointer dereference. A local attacker in a guest could use this to cause a denial of service. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-07-29 CVE Reserved
2019-07-29 CVE Published
2019-08-20 First Exploit
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-122: Heap-based Buffer Overflow
CWE-755: Improper Handling of Exceptional Conditions
CWE-787: Out-of-bounds Write

CAPEC

References (31)

URL	Tag	Source
http://packetstormsecurity.com/files/154269/QEMU-Denial-Of-Service.html	X_refsource_misc
http://www.openwall.com/lists/oss-security/2019/08/01/2	Mailing List
https://blog.bi0s.in/2019/08/24/Pwn/VM-Escape/2019-07-29-qemu-vm-escape-cve-2019-14378	X_refsource_misc
https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html	Mailing List
https://news.ycombinator.com/item?id=20799010	X_refsource_misc
https://seclists.org/bugtraq/2019/Aug/41	Mailing List
https://seclists.org/bugtraq/2019/Sep/3	Mailing List
https://support.f5.com/csp/article/K25423748	X_refsource_confirm
https://support.f5.com/csp/article/K25423748?utm_source=f5support&amp%3Butm_medium=RSS	X_refsource_confirm

URL	Date	SRC
https://packetstorm.news/files/id/154269	2019-08-30
https://www.exploit-db.com/exploits/47320	2019-08-20

URL	Date	SRC
https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00008.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3179	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3403	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3494	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3742	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3787	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3968	2023-11-07
https://access.redhat.com/errata/RHSA-2019:4344	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0366	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0775	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPLHB2AN663OXAWUQURF7J2X5LHD4VD3	2023-11-07
https://usn.ubuntu.com/4191-1	2023-11-07
https://usn.ubuntu.com/4191-2	2023-11-07
https://www.debian.org/security/2019/dsa-4506	2023-11-07
https://www.debian.org/security/2019/dsa-4512	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-14378	2020-06-01
https://bugzilla.redhat.com/show_bug.cgi?id=1734745	2020-06-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libslirp Project Search vendor "Libslirp Project"		Libslirp Search vendor "Libslirp Project" for product "Libslirp"				4.0.0 Search vendor "Libslirp Project" for product "Libslirp" and version "4.0.0"		-		Affected