Prasad J Pandit

**Name of the Vulnerable Software and Affected Versions** QEMU versions up to and including 5.2.0 **Description** The issue is related to a potential stack overflow via an infinite loop in various NIC emulators of QEMU. This occurs in loopback mode of a NIC where reentrant DMA checks get bypassed, allowing a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial-of-service scenario. **Recommendations** For QEMU versions up to and including 5.2.0, update to a version later than 5.2.0 to resolve the issue. At the moment, there is no information about other specific fixes for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 5.6.13 **Description** The issue is related to the VFIO PCI driver in the Linux kernel, which mishandles attempts to access disabled memory space. This can be exploited to cause a denial of service. **Recommendations** For Linux kernel versions through 5.6.13, update to a version that includes the fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions 4.0 through 4.1.0 **Description** The issue is related to the `rom copy()` function in `hw/core/loader.c`, which does not properly validate the relationship between two addresses. This allows attackers to trigger an invalid memory copy operation, potentially leading to a buffer overflow. Exploitation of this issue may enable a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For QEMU versions 4.0 through 4.1.0, consider disabling the `rom copy()` function as a temporary workaround until a patch is available. Restrict access to the `hw/core/loader.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU version 4.1.0 **Description** The issue is related to a memory leak in the `zrle compress data` function during a VNC disconnect operation due to the misuse of libz. This results in memory allocated in `deflateInit2` not being freed in `deflateEnd`, potentially allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For QEMU version 4.1.0, consider updating to a version where the `zrle compress data` function is properly handled to prevent memory leaks. As a temporary workaround, consider restricting access to the VNC disconnect operation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions 3.13 through 5.4 **Description** An out-of-bounds memory write issue was found in the Linux Kernel's KVM hypervisor, related to the handling of the 'KVM GET EMULATED CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. The issue may also allow an attacker to compromise data integrity. **Recommendations** For Linux Kernel versions 3.13 through 5.4, consider restricting access to the '/dev/kvm' device to minimize the risk of exploitation. As a temporary workaround, limiting the use of the KVM hypervisor's 'KVM GET EMULATED CPUID' ioctl(2) request may help mitigate the issue until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux upstream kernel versions prior to 5.5 **Description** A flaw was found in the fix for a previous issue, related to how Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. This issue affects guests running on Cascade Lake CPUs and requires that the host has 'TSX' enabled. The flaw allows for the confidentiality of data to be compromised. **Recommendations** For Linux upstream kernel versions prior to 5.5, update to version 5.5 or later to resolve the issue. As a temporary workaround, consider disabling the TSX feature on the host CPU to minimize the risk of exploitation. Restrict access to sensitive data on guests running on affected hosts until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** QEMU version 3.0.0 **Description** The issue is related to an Integer Overflow in QEMU 3.0.0, caused by the qga/commands*.c files not checking the length of the argument list or the number of environment variables. However, it has been disputed as not exploitable. **Recommendations** For QEMU version 3.0.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is caused by a buffer overflow in the memory of the QEMU hardware emulator's Virtio GPU emulator. It may allow a local attacker to cause a denial of service by crashing the application. A memory leakage issue could occur while updating cursor data, potentially allowing a guest user or process to leak host memory bytes, resulting in a denial of service for the host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a memory leak in the `v9fs device unrealize common` function, which can be exploited by local privileged guest OS users to cause a denial of service. This can lead to host memory consumption and possibly a QEMU process crash via vectors involving the order of resource cleanup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a memory leak in the hw/9pfs/9p.c file of QEMU, which can be exploited by local privileged guest OS users to cause a denial of service. This is achieved by leveraging a missing cleanup operation in FileOperations, leading to host memory consumption and possibly causing the QEMU process to crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a memory leak in the hw/9pfs/9p-handle.c file in QEMU, which can be exploited by local privileged guest OS users to cause a denial of service. This can lead to host memory consumption and possibly a QEMU process crash. The exploitation is possible due to a missing cleanup operation in the handle backend. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a memory leak in the hw/9pfs/9p-proxy.c function of the QEMU hardware emulator's proxy backend service. This leak can be exploited by a local user of the guest operating system, allowing them to cause a denial of service. The denial of service can manifest as consumption of the host's memory or a crash of the QEMU process. The exploitation is possible due to a missing cleanup operation in the proxy backend. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue allows local guest OS administrators to cause a denial of service, resulting in an infinite loop and QEMU process crash. This is due to the failure to limit the number of link Transfer Request Blocks (TRB) to process in the `xhci ring fetch` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (aka Quick Emulator) (affected versions not specified) **Description** The issue allows local guest OS administrators to cause a denial of service by leveraging failure to check IP header length in the `vmxnet tx pkt parse headers` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to the Virtual Network Device (virtio-net) support in QEMU, specifically in the hw/virtio/virtio.c module. When big or mergeable receive buffers are not supported, remote attackers can cause a denial of service by flooding the network with jumbo frames on the tuntap or macvtap interface. This can lead to guest network consumption. The problem is caused by a buffer overflow in the virtio.c module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 2.4.0 **Description** The issue allows a guest user to cause a denial of service, resulting in the QEMU process crashing. This can be achieved by sending a crafted virtio control message. A user logged on to the guest OS can exploit this to cause QEMU to crash. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `send control msg` function in the `hw/char/virtio-serial-bus.c` file until a patch is available.