CVE-2015-8701 — Off-by-one Error in Qemu

CWE-193 — Off-by-one Error CWE-121 — Stack-based Buffer Overflow7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 78.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedDec 29

Latest updateMay 13

Description

QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

▶debiandebian/qemu< qemu 1:2.5+dfsg-3 (bookworm)

▶Debianqemu/qemu< 1:2.5+dfsg-3+3

▶NVDqemu/qemu2.5.1.1

Patches

Patch: lists.gnu.org ↗Patch: lists.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-2h29-rjh5-xxch: QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error↗2022-05-13

▶

OSV

CVE-2015-8701: QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error↗2016-12-29

▶

📋Vendor Advisories

Red Hat

Qemu: net: rocker: stack buffer overflow(off-by-one) in tx_consume routine↗2015-12-23

▶

Debian

CVE-2015-8701: qemu - QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vuln...↗2015

▶

💬Community

Bugzilla

CVE-2015-8701 qemu: Buffer overflow in tx_consume in rocker.c [fedora-all]↗2015-12-22

▶

Bugzilla

CVE-2015-8701 Qemu: net: rocker: stack buffer overflow(off-by-one) in tx_consume routine↗2015-12-01

▶