U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:qemu:qemu:3.0.0
There are 91 matching records.
Displaying matches 61 through 80.
Vuln ID Summary CVSS Severity
CVE-2020-13754

hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.

Published: June 02, 2020; 10:15:10 AM -0400
V3.1: 6.7 MEDIUM
V2.0: 4.6 MEDIUM
CVE-2020-13362

In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.

Published: May 28, 2020; 11:15:11 AM -0400
V3.1: 3.2 LOW
V2.0: 2.1 LOW
CVE-2020-13361

In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

Published: May 28, 2020; 10:15:11 AM -0400
V3.1: 3.9 LOW
V2.0: 3.3 LOW
CVE-2020-13253

sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.

Published: May 27, 2020; 11:15:12 AM -0400
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2020-1711

An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.

Published: February 11, 2020; 3:15:11 PM -0500
V3.1: 6.0 MEDIUM
V2.0: 6.0 MEDIUM
CVE-2019-20175

An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert.

Published: December 30, 2019; 11:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-12929

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

Published: June 24, 2019; 7:15:09 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2019-12928

The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue

Published: June 24, 2019; 7:15:09 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2019-9824

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.

Published: June 03, 2019; 5:29:00 PM -0400
V3.0: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2019-12247

QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable

Published: May 22, 2019; 11:29:03 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-8934

hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

Published: March 21, 2019; 12:01:14 PM -0400
V3.1: 3.3 LOW
V2.0: 2.1 LOW
CVE-2019-6778

In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.

Published: March 21, 2019; 12:01:10 PM -0400
V3.0: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2018-18849

In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.

Published: March 21, 2019; 12:00:29 PM -0400
V3.0: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2019-3812

QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.

Published: February 19, 2019; 9:29:00 AM -0500
V3.0: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2018-20191

hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).

Published: December 20, 2018; 6:29:02 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-20124

hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value.

Published: December 20, 2018; 6:29:02 PM -0500
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2018-20216

QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled).

Published: December 20, 2018; 4:29:01 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-20126

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled.

Published: December 20, 2018; 4:29:00 PM -0500
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW
CVE-2018-20125

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.

Published: December 20, 2018; 4:29:00 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-20123

pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.

Published: December 17, 2018; 2:29:02 PM -0500
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW