CVE-2018-16867

Name of the Vulnerable Software and Affected Versions: qemu versions prior to 3.1.0

Description: A flaw in the qemu Media Transfer Protocol (MTP) implementation allows for a path traversal due to improper filename sanitization in the usb mtp write data function. This can lead to reading and writing arbitrary files, potentially causing a denial of service (DoS) scenario or possibly allowing code execution on the host. The issue is related to errors in synchronization when using a shared resource.

Recommendations: For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the usb mtp write data function in the hw/usb/dev-mtp.c file to minimize the risk of exploitation.