Vulnerabilities > Qemu > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-11-04 CVE-2016-8576 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.
local
low complexity
qemu opensuse redhat debian CWE-770
6.0
2016-10-10 CVE-2016-7423 Unspecified vulnerability in Qemu
The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.
local
low complexity
qemu
4.4
2016-10-05 CVE-2016-7909 Infinite Loop vulnerability in multiple products
The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.
local
low complexity
qemu debian CWE-835
4.4
2016-10-05 CVE-2016-7908 Infinite Loop vulnerability in multiple products
The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
local
low complexity
qemu debian CWE-835
4.4
2016-10-05 CVE-2016-7907 Resource Management Errors vulnerability in Qemu
The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
local
low complexity
qemu CWE-399
4.4
2016-09-07 CVE-2016-6351 The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.
local
low complexity
qemu canonical debian
6.7
2016-09-02 CVE-2016-5107 Out-of-bounds Read vulnerability in multiple products
The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.
local
low complexity
qemu canonical debian CWE-125
6.0
2016-09-02 CVE-2016-5106 Out-of-bounds Write vulnerability in multiple products
The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.
local
low complexity
qemu canonical debian CWE-787
6.0
2016-09-02 CVE-2016-5105 Use of Uninitialized Resource vulnerability in multiple products
The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.
local
low complexity
qemu canonical debian CWE-908
4.4
2016-09-02 CVE-2016-4952 Out-of-bounds Write vulnerability in multiple products
QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.
local
low complexity
qemu canonical debian CWE-787
6.0