Ren Ding

**Name of the Vulnerable Software and Affected Versions** QEMU version 4.2.0 **Description** The issue is related to an out-of-bounds access in the PCI configuration space and a buffer overflow in the ati mm read function. This could allow an attacker to cause a denial of service. **Recommendations** For QEMU version 4.2.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU version 4.2.0 **Description** The issue is related to a buffer data boundary operation overflow in QEMU, which can be exploited to access confidential data, compromise data integrity, and cause a denial of service. Specifically, the `hw/pci/msix.c` file in QEMU allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. **Recommendations** For QEMU version 4.2.0, consider restricting access to the `hw/pci/msix.c` file or the msi-x mmio operation to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions 4.2.0 through 5.0.0 **Description** The issue is related to a buffer data boundary operation overflow. It allows an attacker to compromise data integrity and cause a denial of service. The problem lies in the `es1370 transfer audio` function in `hw/audio/es1370.c`, which does not properly validate the frame count. This allows guest OS users to trigger an out-of-bounds access during an `es1370 write()` operation. **Recommendations** For QEMU versions 4.2.0 through 5.0.0, consider disabling the `es1370 transfer audio` function until a patch is available to prevent out-of-bounds access during `es1370 write()` operations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions 5.0.0 and earlier QEMU versions 4.2.0 **Description** The issue is related to an out-of-bounds read in the `megasas lookup frame` function in `hw/scsi/megasas.c`. This can be triggered via a crafted `reply queue head` field from a guest OS user, potentially leading to a denial of service. **Recommendations** For QEMU versions 5.0.0 and earlier, update to a version later than 5.0.0 to resolve the issue. For QEMU version 4.2.0, update to a version later than 4.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the `megasas lookup frame` function in `hw/scsi/megasas.c` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU version 4.2.0 **Description** The issue is related to the ati-vga component in the QEMU hardware emulator, which is vulnerable to uncontrolled recursion. This can be triggered by a crafted mm index value during an ati mm read or ati mm write call, potentially allowing an attacker to cause a denial of service. **Recommendations** For QEMU version 4.2.0, as a temporary workaround, consider disabling the ati-vga component to minimize the risk of exploitation. Restrict access to the `ati mm read` and `ati mm write` functions until a patch is available. Avoid using the `mm index` variable in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.