Debian Qemu vulnerabilities

CVE-2021-3507 [MEDIUM] CVE-2021-3507: qemu - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0... A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential informati

CVE-2021-3607 [MEDIUM] CVE-2021-3607: qemu - An integer overflow was found in the QEMU implementation of VMWare's paravirtual... An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threa

CVE-2021-4145 [MEDIUM] CVE-2021-4145: qemu - A NULL pointer dereference issue was found in the block mirror layer of QEMU in ... A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.

CVE-2021-3592 [LOW] CVE-2021-3592: libslirp - An invalid pointer initialization issue was found in the SLiRP networking implem... An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from

CVE-2021-3594 [LOW] CVE-2021-3594: libslirp - An invalid pointer initialization issue was found in the SLiRP networking implem... An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from thi

CVE-2021-20263 [LOW] CVE-2021-20263: qemu - A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU.... A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.

CVE-2021-3595 [LOW] CVE-2021-3595: libslirp - An invalid pointer initialization issue was found in the SLiRP networking implem... An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from th

CVE-2021-20295 [MEDIUM] CVE-2021-20295: qemu - It was discovered that the update for the virt:rhel module in the RHSA-2020:4676... It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com

CVE-2021-3593 [LOW] CVE-2021-3593: libslirp - An invalid pointer initialization issue was found in the SLiRP networking implem... An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from th

CVE-2021-20203 [LOW] CVE-2021-20203: qemu - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for ... An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. Scope: local bookworm: resolved (fixed in 1:6.2+dfsg-1) bullsey

CVE-2021-3392 [LOW] CVE-2021-3392: qemu - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occ... A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between

CVE-2020-1983 [HIGH] CVE-2020-1983: libslirp - A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and... A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. Scope: local bookworm: resolved (fixed in 4.2.0-2) bullseye: resolved (fixed in 4.2.0-2) forky: resolved (fixed in 4.2.0-2) sid: resolved (fixed in 4.2.0-2) trixie: resolved (fixed in 4.2.0-2)

CVE-2020-35517 [HIGH] CVE-2020-35517: qemu - A flaw was found in qemu. A host privilege escalation issue was found in the vir... A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-5) bullseye: resolved (fixed in 1:5.2+dfsg-5) forky: resolved (fixed in

CVE-2020-1711 [HIGH] CVE-2020-1711: qemu - An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block dr... An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential

CVE-2020-24165 [HIGH] CVE-2020-24165: qemu - An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers... An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties. Scope: local bookworm: resolved (fixed in 1:5.0-1) bullseye: resolved (fixed in 1:5.0-1) forky: resolved (fixed in

CVE-2020-17380 [MEDIUM] CVE-2020-17380: qemu - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device... A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially exe

CVE-2020-29130 [MEDIUM] CVE-2020-29130: libslirp - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to rea... slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. Scope: local bookworm: resolved (fixed in 4.4.0-1) bullseye: resolved (fixed in 4.4.0-1) forky: resolved (fixed in 4.4.0-1) sid: resolved (fixed in 4.4.0-1) trixie: resolved (fixed in 4.4.0-1)

CVE-2020-27821 [MEDIUM] CVE-2020-27821: qemu - A flaw was found in the memory management API of QEMU during the initialization ... A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. S

CVE-2020-25625 [MEDIUM] CVE-2020-25625: qemu - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1:5.2+dfsg-1)

CVE-2020-29129 [MEDIUM] CVE-2020-29129: libslirp - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read... ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. Scope: local bookworm: resolved (fixed in 4.4.0-1) bullseye: resolved (fixed in 4.4.0-1) forky: resolved (fixed in 4.4.0-1) sid: resolved (fixed in 4.4.0-1) trixie: resolved (fixed in 4.4.0-1)