QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.

...

OESA-2024-1310 qemu security update

QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. Security Fixes: A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on th...

An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.

...

An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host resulting in a denial of service.

...

SUSE CVE-2010-0309

The pitioportread function in the Programmable Interval Timer PIT emulation in i8254.c in KVM 83 does not properly use the pitstate data structure, which allows guest OS users to cause a denial of service host OS crash or hang by attempting to read the /dev/port file...

SUSE CVE-2012-3432

The handlemmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service guest OS crash via unspecified...

SUSE CVE-2016-9932

CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix...

kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c

An out of bounds OOB memory access flaw was found in i2csmbusxferemulated in drivers/i2c/i2c-core-smbus.c in I2C subsystem. A read request for length data-block0 greater than 'I2CSMBUSBLOCKMAX + 1' may cause underlying I2C driver write out of array's boundary. This could allow a local attacker wi...

QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()

A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the tcpemu routine while emulating IRC and other protocols. An attacker could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential...

UBUNTU-CVE-2019-18425

An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performe...

UBUNTU-CVE-2017-18551

An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2csmbusxferemulated...

DEBIAN-CVE-2017-7518

A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flagTF bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exceptionDB being raised in the guest stack. A user/process inside a guest could use this flaw to...

QEMU i8254 PIT Emulation Bug

Lenovo Security Advisory: LEN-2015-075 Potential Impact: Escalation of Privileges Severity: High Summary: A vulnerability was reported in QEMU where a local user on the guest system could potentially obtain elevated privileges on the target host system. This vulnerability was reported to Red Hat...

kernel: kvm: syscall instruction induced guest panic

The emsyscall function in arch/x86/kvm/emulate.c in the KVM implementation in the Linux kernel before 3.2.14 does not properly handle the 0f05 aka syscall opcode, which allows guest OS users to cause a denial of service guest OS crash via a crafted application, as demonstrated by an NASM file...