CVE-2014-3689 — Improper Privilege Management in Qemu

CWE-269 — Improper Privilege Management10 documents7 sources

Severity

7.2HIGHNVD

OSV2.1

EPSS

0.1%

top 74.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Canonical Ubuntu Linux +1 more

Timeline

PublishedNov 14

Latest updateJul 16

Description

The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages4 packages

▶debiandebian/qemu< qemu 2.1+dfsg-6 (bookworm)

▶Debianqemu/qemu< 2.1+dfsg-6+3

▶Ubuntuqemu/qemu< 2.0.0+dfsg-2ubuntu1.7

▶NVDqemu/qemu2.1.3

Also affects: Debian Linux 7.0, Ubuntu Linux 10.04, 12.04, 14.04, 14.10

🔴Vulnerability Details

GHSA

GHSA-4563-6q26-9q79: The vmware-vga driver (hw/display/vmware_vga↗2022-05-13

▶

OSV

CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga↗2014-11-14

▶

OSV

qemu, qemu-kvm vulnerabilities↗2014-11-13

▶

📋Vendor Advisories

Red Hat

kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver↗2024-07-16

▶

Ubuntu

QEMU vulnerabilities↗2014-11-13

▶

Red Hat

qemu: vmware_vga: insufficient parameter validation in rectangle functions↗2014-10-14

▶

Debian

CVE-2014-3689: qemu - The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users...↗2014

▶

💬Community

Bugzilla

CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions [fedora-all]↗2014-10-15

▶

Bugzilla

CVE-2014-3689 qemu: vmware_vga: insufficient parameter validation in rectangle functions↗2014-10-15

▶