National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:qemu:qemu:-
There are 177 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-12929

** DISPUTED ** The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue.

Published: June 24, 2019; 07:15:09 AM -04:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2019-12928

** DISPUTED ** The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue.

Published: June 24, 2019; 07:15:09 AM -04:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2019-8934

hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

Published: March 21, 2019; 12:01:14 PM -04:00
V3: 3.3 LOW
V2: 2.1 LOW
CVE-2018-20191

hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).

Published: December 20, 2018; 06:29:02 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-20124

hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.

Published: December 20, 2018; 06:29:02 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-20216

QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).

Published: December 20, 2018; 04:29:01 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-20126

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.

Published: December 20, 2018; 04:29:00 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-20125

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.

Published: December 20, 2018; 04:29:00 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-20123

pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.

Published: December 17, 2018; 02:29:02 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-16872

A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.

Published: December 13, 2018; 04:29:00 PM -05:00
V3: 5.3 MEDIUM
V2: 3.5 LOW
CVE-2018-19489

v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.

Published: December 13, 2018; 02:29:00 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-19364

hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.

Published: December 13, 2018; 02:29:00 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-16867

A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host.

Published: December 12, 2018; 08:29:02 AM -05:00
V3: 8.8 HIGH
V2: 4.6 MEDIUM
CVE-2018-19665

The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.

Published: December 06, 2018; 06:29:01 PM -05:00
V3: 5.7 MEDIUM
V2: 2.7 LOW
CVE-2018-18954

The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.

Published: November 15, 2018; 03:29:00 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-16847

An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.

Published: November 02, 2018; 06:29:00 PM -04:00
V3: 7.8 HIGH
V2: 4.6 MEDIUM
CVE-2018-18438

Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.

Published: October 19, 2018; 06:29:02 PM -04:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2018-10839

Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.

Published: October 16, 2018; 10:29:01 AM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-17963

qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.

Published: October 09, 2018; 06:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-17958

Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used.

Published: October 09, 2018; 06:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM