Qinghao Tang

**Name of the Vulnerable Software and Affected Versions** KoreaShow (affected versions not specified) **Description** The issue is related to an integer overflow in the transferMulti function of a smart contract implementation. This allows attackers to increase digital assets without authorization by crafting the ` value` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (aka Quick Emulator) versions (affected versions not specified) **Description** The issue allows local guest OS privileged users to cause a denial of service, resulting in a divide-by-zero error and QEMU process crash. This is achieved through vectors involving blit pitch values when cirrus graphics mode is set to VGA. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Qemu (affected versions not specified) **Description** The issue is related to a divide by zero problem that can occur when copying VGA data in cirrus graphics mode set to VGA. This could allow a privileged user inside a guest to crash the Qemu process instance on the host, resulting in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue allows local guest OS administrators to cause a denial of service, resulting in a NULL pointer dereference and QEMU process crash. This is achieved by providing a large I/O descriptor buffer length value to the `virtqueue map desc` function in `hw/virtio/virtio.c`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (aka Quick Emulator) (affected versions not specified) **Description** The issue allows local guest OS administrators to cause a denial of service. This can be achieved through vectors related to `cursor.mask[]` and `cursor.image[]` array sizes when processing a DEFINE CURSOR svga command, resulting in an out-of-bounds write and a QEMU process crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is caused by an off-by-one error in the `tx consume` routine when processing transmit descriptors with more than the allowed number of fragments. This can be exploited by a privileged user inside a guest to cause memory leakage on the host or crash the QEMU process instance, resulting in a denial of service issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue concerns improper bounds checking on banked access to video memory in the VGA module. This allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 2.5.1 **Description** The issue is related to multiple integer overflows in the USB Net device emulator. This can be exploited by local guest OS administrators to cause a denial of service, such as crashing the QEMU process, or to obtain sensitive host memory information. The exploitation occurs via a remote NDIS control message packet that is mishandled in specific functions. **Recommendations** For QEMU versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the USB Net device emulator to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 2.5.1 **Description** The issue is related to the improper validation of USB configuration descriptor objects in the is rndis function, which can be exploited by local guest OS administrators to cause a denial of service. This can be achieved via vectors involving a remote NDIS control message packet, resulting in a NULL pointer dereference and a QEMU process crash. **Recommendations** For versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Xen versions 3.4.0 through 3.4.1 Xen versions 4.1.x through 4.6.x **Description** The issue allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact. This is achieved via a crafted page identifier (MFN) to specific sub-ops in the HYPERVISOR mmuext op hypercall, including (1) MMUEXT MARK SUPER or (2) MMUEXT UNMARK SUPER, or through unknown vectors related to page table updates. **Recommendations** For Xen versions 3.4.0 and 3.4.1, update to a version that includes the fix for this issue. For Xen versions 4.1.x through 4.6.x, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the HYPERVISOR mmuext op hypercall to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the hw/ide/ahci.c component of QEMU, specifically when it is built with IDE AHCI Emulation support. This vulnerability can be exploited by guest OS users, potentially allowing them to cause a denial of service, such as crashing the instance, or possibly execute arbitrary code. The exploitation is linked to an invalid AHCI Native Command Queuing (NCQ) AIO command. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a stack-based buffer overflow in the `megasas ctrl get info` function in QEMU, specifically when it is built with SCSI MegaRAID SAS HBA emulation support. This allows local guest users to cause a denial of service by crashing the QEMU instance via a crafted SCSI controller `CTRL GET INFO` command. The exploitation of this issue can lead to a service disruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A memory leak issue exists, allowing remote attackers to cause a denial of service due to memory consumption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a memory leak in the QEMU VMWARE VMXNET3 paravirtual NIC emulator. This can be exploited by a local attacker to cause a denial of service, specifically by consuming host memory. The exploitation involves repeatedly trying to activate the `vmxnet3` device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue allows local guest OS privileged users to cause a denial of service by leveraging failure to define the .write method in the MSI-X MMIO support, resulting in a NULL pointer dereference and QEMU process crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue allows local guest OS administrators to cause a denial of service, resulting in an infinite loop and CPU consumption. This is achieved via a circular isochronous transfer descriptor (iTD) list in the `ehci process itd` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A heap-based buffer overflow issue exists in the pcnet receive function in hw/net/pcnet.c, allowing guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU qemu-kvm (affected versions not specified) **Description** The issue allows local guest users to cause a denial of service, resulting in an application crash and infinite loop. This is achieved through vectors involving the command block list in the eepro100 emulator. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sblim-sfcb versions 1.3.4 through 1.3.18 **Description** The issue is related to the `lookupProviders` function in `providerMgr.c`, which is vulnerable to NULL pointer dereference errors. This can be exploited by a remote attacker using a specially crafted packet with an empty `className`, potentially causing a denial of service and application crash. **Recommendations** For sblim-sfcb versions 1.3.4 through 1.3.18, consider disabling the `lookupProviders` function as a temporary workaround until a patch is available. Restrict access to the `providerMgr.c` module to minimize the risk of exploitation. Avoid using empty `className` in packets to prevent potential crashes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 2.4.0.1 **Description** The issue is caused by a heap-based buffer overflow in the `ne2000 receive` function. This can allow a local attacker to cause a denial of service or possibly execute arbitrary code via vectors related to receiving packets. A privileged user inside a guest could use this flaw to crash the QEMU instance or potentially execute arbitrary code. **Recommendations** For versions prior to 2.4.0.1, update to version 2.4.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the `ne2000 receive` function until a patch is available. Restrict access to the vulnerable `hw/net/ne2000.c` module to minimize the risk of exploitation. Avoid using the NE2000 NIC emulation support in QEMU until the issue is resolved.