CVE-2008-0928 — Qemu vulnerability

CWE-2647 documents7 sources

Severity

4.7MEDIUMNVD

EPSS

0.1%

top 71.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedMar 3

Latest updateMay 1

Description

Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.

CVSS vector

AV:L/AC:M/C:C/I:N/A:NExploitability: 3.4 | Impact: 6.9

Affected Packages3 packages

▶debiandebian/qemu< qemu 0.9.1+svn20081207-1 (bookworm)

▶Debianqemu/qemu< 0.9.1+svn20081207-1+3

▶NVDqemu/qemu29 versions+28

🔴Vulnerability Details

GHSA

GHSA-4gr3-prqp-v6r3: Qemu 0↗2022-05-01

▶

OSV

CVE-2008-0928: Qemu 0↗2008-03-03

▶

💥Exploits & PoCs

Exploit-DB

EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)↗2014-09-24

▶

📋Vendor Advisories

Red Hat

Qemu insufficient block device address range checking↗2008-02-19

▶

Debian

CVE-2008-0928: qemu - Qemu 0.9.1 and earlier does not perform range checks for block device read or wr...↗2008

▶

💬Community

Bugzilla

CVE-2008-0928 Qemu insufficient block device address range checking↗2008-02-20

▶