Vulnerabilities > Qemu > High

DATE CVE VULNERABILITY TITLE RISK
2016-06-16 CVE-2016-2538 Numeric Errors vulnerability in Qemu
Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.
local
low complexity
qemu CWE-189
7.1
2016-06-14 CVE-2016-5338 The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.
local
low complexity
qemu canonical debian
7.8
2016-06-01 CVE-2016-5126 Out-of-bounds Write vulnerability in multiple products
Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.
local
low complexity
qemu canonical oracle debian redhat CWE-787
7.8
2016-05-23 CVE-2016-4001 Classic Buffer Overflow vulnerability in multiple products
Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
network
low complexity
qemu canonical fedoraproject debian CWE-120
8.6
2016-05-11 CVE-2016-3710 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
8.8
2016-04-12 CVE-2016-2857 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
local
low complexity
qemu canonical debian redhat CWE-119
8.4
2016-04-12 CVE-2016-1568 Use After Free vulnerability in multiple products
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
local
low complexity
qemu redhat debian CWE-416
8.8
2016-04-07 CVE-2016-1714 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration.
local
high complexity
redhat oracle qemu CWE-119
8.1
2016-01-12 CVE-2015-1779 Resource Exhaustion vulnerability in multiple products
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
8.6
2015-11-06 CVE-2015-6855 Divide By Zero vulnerability in multiple products
hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.
7.5