CVE-2019-20808

Name of the Vulnerable Software and Affected Versions QEMU version 4.1.0

Description The issue is an out-of-bounds read flaw in the ATI VGA implementation. It occurs in the ati cursor define() routine while handling MMIO write operations through the ati mm write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.

Recommendations For QEMU version 4.1.0, as a temporary workaround, consider disabling the ati cursor define() function until a patch is available. Restrict access to the ATI VGA implementation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.