Debian Qemu vulnerabilities

CVE-2026-2243 [MEDIUM] CVE-2026-2243: qemu - A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of... A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS). Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:10.2.2+ds-1) sid: resolved (fixed in 1:10.2.2+ds-1) trixie: open

CVE-2026-0665 [MEDIUM] CVE-2026-0665: qemu - An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest... An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1:10.2.0+ds-2) sid: r

CVE-2026-3195 [LOW] CVE-2026-3195: qemu bookworm: resolved bullseye: resolved forky: resolved (fixed in 1:10.2.2+ds-1) sid: resolved (fixed in 1:10.2.2+ds-1) trixie: open

CVE-2026-3196 [LOW] CVE-2026-3196: qemu bookworm: resolved bullseye: resolved forky: resolved (fixed in 1:10.2.2+ds-1) sid: resolved (fixed in 1:10.2.2+ds-1) trixie: open

CVE-2026-3842 CVE-2026-3842: qemu bookworm: open bullseye: resolved forky: resolved (fixed in 1:10.2.2+ds-1) sid: resolved (fixed in 1:10.2.2+ds-1) trixie: open

CVE-2025-11234 [HIGH] CVE-2025-11234: qemu - A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is w... A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSoc

CVE-2025-14876 [MEDIUM] CVE-2025-14876: qemu - A flaw was found in the virtio-crypto device of QEMU. A malicious guest operatin... A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly. Scope: local bookworm: open bullseye: resolved forky: resolve

CVE-2025-54567 [MEDIUM] CVE-2025-54567: qemu - hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write ma... hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1:10.0.3+ds-1) sid: resolved (fixed in 1:10.0.3+ds-1) trixie: resolved (fixed in 1:10.0.2+ds-2+deb13u1)

CVE-2025-12464 [MEDIUM] CVE-2025-12464: qemu - A stack-based buffer overflow was found in the QEMU e1000 network device. The co... A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via th

CVE-2025-8860 [LOW] CVE-2025-8860: qemu - A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes ... A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANS

CVE-2025-54566 [MEDIUM] CVE-2025-54566: qemu - hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, ... hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1:10.0.3+ds-1) sid: resolved (fixed in 1:10.0.3+ds-1) trixie: resolved (fixed in 1:10.0.2+ds-2+deb13u1)

CVE-2024-4467 [HIGH] CVE-2024-4467: qemu - A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A spe... A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. Scope: local bookworm: resolved (fixed i

CVE-2024-3446 [HIGH] CVE-2024-3446: qemu - A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio... A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the

CVE-2024-7730 [HIGH] CVE-2024-7730: qemu - A heap buffer overflow was found in the virtio-snd device in QEMU. When reading ... A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for

CVE-2024-24474 [HIGH] CVE-2024-24474: qemu - QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a... QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len. Scope: local bookworm: resolved (fixed in 1:7.2+dfsg-7+deb12u3) bullseye: resolved forky: resolved (fix

CVE-2024-7409 [HIGH] CVE-2024-7409: qemu - A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of s... A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. Scope: local bookworm: resolved (fixed in 1:7.2+dfsg-7+deb12u8) bullseye: resolved (fixed in 1:5.2+dfsg-11+deb11u5) forky: resolved (fixed in 1:9.0.2+ds-3)

CVE-2024-6519 [HIGH] CVE-2024-6519: qemu - A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Ad... A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2024-26327 [MEDIUM] CVE-2024-26327: qemu - An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie... An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations. Scope: local bookworm: resolved (fixed in 1:7.2+dfsg-7+deb12u6) bullseye: resolved forky: resolved (fixed in 1:8.2.3+ds-1) sid: resolved (fixed in 1:8.2

CVE-2024-26328 [MEDIUM] CVE-2024-26328: qemu - An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie... An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled. Scope: local bookworm: resolved (fixed in 1:7.2+dfsg-7+deb12u6) bullseye: resolved forky: resolved (fixed in 1:8.2.3+ds-1) sid: resolved (fixed in 1:8.2.3+ds-1) trixie: resolved (fi

CVE-2024-8354 [MEDIUM] CVE-2024-8354: qemu - A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() f... A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:10.1.