Vulnerabilities > Spice Project

DATE CVE VULNERABILITY TITLE RISK
2021-05-28 CVE-2021-20201 Resource Exhaustion vulnerability in multiple products
A flaw was found in spice in versions before 0.14.92.
network
low complexity
spice-project redhat CWE-400
5.0
2020-10-07 CVE-2020-14355 Classic Buffer Overflow vulnerability in multiple products
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1.
6.5
2019-02-04 CVE-2019-3813 Off-by-one Error vulnerability in multiple products
Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt.
5.4
2018-09-11 CVE-2018-10893 Integer Overflow or Wraparound vulnerability in Spice Project Spice
Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames.
network
low complexity
spice-project CWE-190
6.5
2018-08-17 CVE-2018-10873 Improper Input Validation vulnerability in multiple products
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks.
network
low complexity
spice-project debian canonical redhat CWE-20
6.5
2018-07-27 CVE-2016-9578 Improper Input Validation vulnerability in multiple products
A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling.
network
low complexity
spice-project debian redhat CWE-20
5.0
2018-07-27 CVE-2016-9577 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling.
network
low complexity
spice-project debian redhat CWE-119
6.5
2017-07-18 CVE-2017-7506 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Spice Project Spice
spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak.
network
low complexity
spice-project CWE-119
6.5
2016-06-09 CVE-2016-2150 Improper Access Control vulnerability in multiple products
SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261.
3.6
2016-06-09 CVE-2016-0749 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow.
network
low complexity
opensuse debian redhat microsoft spice-project CWE-119
critical
10.0