Description The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.
CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Exploitability: 2.0 | Impact: 6.0 Attack Vector: Local
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High
Affected Packages8 packages ▶ Debian qemu < 2.1+dfsg-1 +3 ▶ Ubuntu qemu < 2.0.0+dfsg-2ubuntu1.3 ▶ CVEListV5 qemu before 1.7.2 Show 3 more packages Also affects: Enterprise Linux 6.5
🔴 Vulnerability Details4 GHSA GHSA-4g6m-vjr9-mv9r: The virtqueue_map_sg function in hw/virtio/virtio ↗ 2022-05-05 ▶ CVEList CVE-2013-4535: The virtqueue_map_sg function in hw/virtio/virtio ↗ 2020-02-11 ▶ OSV CVE-2013-4535: The virtqueue_map_sg function in hw/virtio/virtio ↗ 2020-02-11 ▶ OSV qemu, qemu-kvm vulnerabilities ↗ 2014-09-08 ▶
📋 Vendor Advisories3 Ubuntu QEMU vulnerabilities ↗ 2014-09-08 ▶ Red Hat qemu: virtio: insufficient validation of num_sg when mapping ↗ 2013-12-03 ▶ Debian CVE-2013-4535: qemu - The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows ... ↗ 2013 ▶
💬 Community2 Bugzilla CVE-2013-4535 CVE-2013-4536 qemu: virtio: insufficient validation of num_sg when mapping [fedora-all] ↗ 2014-05-08 ▶ Bugzilla CVE-2013-4535 CVE-2013-4536 qemu: virtio: insufficient validation of num_sg when mapping ↗ 2014-02-18 ▶