Avi Kivity

**Name of the Vulnerable Software and Affected Versions** QEMU version 0.9.0 **Description** The issue arises from improper handling of changes to removable media, allowing guest OS users to read arbitrary files on the host OS. This is achieved by modifying the disk-image header using the `diskformat:` parameter in the `-usbdevice` option to identify a different format. **Recommendations** For QEMU version 0.9.0, consider restricting access to the `-usbdevice` option or avoiding the use of the `diskformat:` parameter until a fix is available. As a temporary workaround, restrict the ability of guest OS users to modify removable media settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU version 0.9.1 **Description** The issue allows local guest users to read arbitrary files on the host by modifying the header of a raw disk image to identify a different format. This is possible due to the `drive init` function in QEMU, which determines the format of a raw disk image based on the header. The modified header is used when the guest is restarted. **Recommendations** For QEMU version 0.9.1, as a temporary workaround, consider restricting access to the `drive init` function until a patch is available. Additionally, avoid using the raw disk image feature with untrusted guests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.