CVE-2017-15124 — Allocation of Resources Without Limits or Throttling in Qemu
Severity
7.5HIGHNVD
OSV4.4
EPSS
1.7%
top 17.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 9
Latest updateMay 14
Description
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
🔴Vulnerability Details
4📋Vendor Advisories
4💬Community
4Bugzilla▶
CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server [fedora-all]↗2017-12-19
Bugzilla▶
CVE-2017-15124 xen: Qemu: memory exhaustion through framebuffer update request message in VNC server [fedora-all]↗2017-12-19
Bugzilla▶
CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server [fedora-all]↗2017-12-19
Bugzilla▶
CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server↗2017-12-12