Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2382 — Infinite Loop in Qemu

CWE-399 CWE-835 — Infinite Loop10 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

21.4%

top 4.29%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Qemu Debian Qemu KVM Qumranet KVM

Timeline

PublishedDec 24

Latest updateMay 1

Description

The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/qemu< qemu 0.9.1-9 (bookworm)

▶Debianqemu/qemu< 0.9.1-9+3

▶NVDqemu/qemu0.9.1+28

▶NVDkvm_qumranet/kvm79+78

🔴Vulnerability Details

GHSA

GHSA-gr5p-5pp4-jfr7: The protocol_client_msg function in vnc↗2022-05-01

▶

OSV

CVE-2008-2382: The protocol_client_msg function in vnc↗2008-12-24

▶

💥Exploits & PoCs

Exploit-DB

QEMU 0.9 / KVM 36/79 - VNC Server Remote Denial of Service↗2008-12-22

▶

📋Vendor Advisories

Ubuntu

KVM regression↗2009-05-13

▶

Ubuntu

KVM vulnerabilities↗2009-05-12

▶

Ubuntu

xterm vulnerabilities↗2009-01-06

▶

Red Hat

qemu/kvm: remote DoS (infinite loop) via specially-crafted VNC message received by the domain↗2008-12-22

▶

Debian

CVE-2008-2382: qemu - The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 an...↗2008

▶

💬Community

Bugzilla

CVE-2008-2382 qemu/kvm: remote DoS (infinite loop) via specially-crafted VNC message received by the domain↗2008-12-22

▶