An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-22b1f8dae2 advisory.

    hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394)     ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638)     acpi erst: memory corruption issues (CVE-2022-4172)     qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202408-18 (QEMU: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below     for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6567-1 advisory.

    Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A     privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of     service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2020-14394)

    It was discovered that QEMU incorrectly handled the TCG Accelerator. A local attacker could use this issue     to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code and esclate     privileges. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-24165)

    It was discovered that QEMU incorrectly handled the Intel HD audio device. A malicious guest attacker     could use this issue to cause QEMU to crash, leading to a denial of service. This issue only affected     Ubuntu 22.04 LTS. (CVE-2021-3611)

    It was discovered that QEMU incorrectly handled the ATI VGA device. A malicious guest attacker could use     this issue to cause QEMU to crash, leading to a denial of service. This issue only affected Ubuntu 20.04     LTS. (CVE-2021-3638)

    It was discovered that QEMU incorrectly handled the VMWare paravirtual RDMA device. A malicious guest     attacker could use this issue to cause QEMU to crash, leading to a denial of service. (CVE-2023-1544)

    It was discovered that QEMU incorrectly handled the 9p passthrough filesystem. A malicious guest attacker     could possibly use this issue to open special files and escape the exported 9p tree. This issue only     affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-2861)

    It was discovered that QEMU incorrectly handled the virtual crypto device. A malicious guest attacker     could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary     code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-3180)

    It was discovered that QEMU incorrectly handled the built-in VNC server. A remote authenticated attacker     could possibly use this issue to cause QEMU to stop responding, resulting in a denial of service. This     issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-3255)

    It was discovered that QEMU incorrectly handled net device hot-unplugging. A malicious guest attacker     could use this issue to cause QEMU to crash, leading to a denial of service. This issue only affected     Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-3301)

    It was discovered that QEMU incorrectly handled the built-in VNC server. A remote attacker could possibly     use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu     20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-3354)

    It was discovered that QEMU incorrectly handled NVME devices. A malicious guest attacker could use this     issue to cause QEMU to crash, leading to a denial of service. This issue only affected Ubuntu 23.10.
    (CVE-2023-40360)

    It was discovered that QEMU incorrectly handled NVME devices. A malicious guest attacker could use this     issue to cause QEMU to crash, leading to a denial of service, or possibly obtain sensitive information.
    This issue only affected Ubuntu 23.10. (CVE-2023-4135)

    It was discovered that QEMU incorrectly handled SCSI devices. A malicious guest attacker could use this     issue to cause QEMU to crash, leading to a denial of service. This issue only affected Ubuntu 23.04 and     Ubuntu 23.10. (CVE-2023-42467)

    It was discovered that QEMU incorrectly handled certain disk offsets. A malicious guest attacker could     possibly use this issue to gain control of the host in certain nested virtualization scenarios.
    (CVE-2023-5088)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious     guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service     condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU     versions prior to 7.0.0. (CVE-2021-3611)

  - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the     Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be     written to the controller's registers and trigger undesirable actions (such as reset) while the device is     still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or     potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects     QEMU versions before 7.0.0. (CVE-2021-3750)

  - A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within     the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service     condition. (CVE-2021-4158)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values     `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object     followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw     to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU     process. (CVE-2021-4207)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is     strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by     virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and     is writable by a user who is not a member of the group. This could allow a malicious unprivileged user     inside the guest to gain access to resources accessible to the root group, potentially escalating their     privileges within the guest. A malicious local user in the host might also leverage this unexpected     executable file created by the guest to escalate their privileges on the host system. (CVE-2022-0358)

  - A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for     CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and     other unexpected results. Affected QEMU version: 6.2.0. (CVE-2022-26353)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

  - softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path,     leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case     in the qemu.org reference applies here, i.e., 'Bugs affecting the non-virtualization use case are not     considered security bugs at this time. (CVE-2022-35414)

  - An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the     Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count ==     block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a     denial of service condition. (CVE-2022-3872)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

  - A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem     may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0879-1 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0840-1 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0761-1 advisory.

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read     during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - ** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the     translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-     virtualization Use Case in the qemu.org reference applies here, i.e., Bugs affecting the non-     virtualization use case are not considered security bugs at this time. (CVE-2022-35414)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3362 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3362-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Sylvain Beucler     March 14, 2023                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : qemu     Version        : 1:3.1+dfsg-8+deb10u10     CVE ID         : CVE-2020-14394 CVE-2020-29130 CVE-2021-3592 CVE-2021-3593                      CVE-2021-3594 CVE-2021-3595 CVE-2022-0216 CVE-2022-1050     Debian Bug     : 970937 979677 986795 989993 989994 989995 989996 1014589 1014590

    Multiple security issues were discovered in QEMU, a fast processor     emulator, which could result in denial of service, information leak,     or potentially the execution of arbitrary code.

    CVE-2020-14394

        An infinite loop flaw was found in the USB xHCI controller         emulation of QEMU while computing the length of the Transfer         Request Block (TRB) Ring. This flaw allows a privileged guest user         to hang the QEMU process on the host, resulting in a denial of         service.

    CVE-2020-17380/CVE-2021-3409

        A heap-based buffer overflow was found in QEMU in the SDHCI device         emulation support. It could occur while doing a multi block SDMA         transfer via the sdhci_sdma_transfer_multi_blocks() routine in         hw/sd/sdhci.c. A guest user or process could use this flaw to         crash the QEMU process on the host, resulting in a denial of         service condition, or potentially execute arbitrary code with         privileges of the QEMU process on the host.

    CVE-2020-29130

        slirp.c has a buffer over-read because it tries to read a certain         amount of header data even if that exceeds the total packet         length.

    CVE-2021-3592

        An invalid pointer initialization issue was found in the SLiRP         networking implementation of QEMU. The flaw exists in the         bootp_input() function and could occur while processing a udp         packet that is smaller than the size of the 'bootp_t' structure. A         malicious guest could use this flaw to leak 10 bytes of         uninitialized heap memory from the host.

    CVE-2021-3593

        An invalid pointer initialization issue was found in the SLiRP         networking implementation of QEMU. The flaw exists in the         udp6_input() function and could occur while processing a udp         packet that is smaller than the size of the 'udphdr'         structure. This issue may lead to out-of-bounds read access or         indirect host memory disclosure to the guest.

    CVE-2021-3594

        An invalid pointer initialization issue was found         in the SLiRP networking implementation of QEMU. The flaw exists in         the udp_input() function and could occur while processing a udp         packet that is smaller than the size of the 'udphdr'         structure. This issue may lead to out-of-bounds read access or         indirect host memory disclosure to the guest.

    CVE-2021-3595

        An invalid pointer initialization issue was found in the SLiRP         networking implementation of QEMU. The flaw exists in the         tftp_input() function and could occur while processing a udp         packet that is smaller than the size of the 'tftp_t'         structure. This issue may lead to out-of-bounds read access or         indirect host memory disclosure to the guest.

    CVE-2022-0216

        A use-after-free vulnerability was found in the LSI53C895A SCSI         Host Bus Adapter emulation of QEMU. The flaw occurs while         processing repeated messages to cancel the current SCSI request         via the lsi_do_msgout function. This flaw allows a malicious         privileged user within the guest to crash the QEMU process on the         host, resulting in a denial of service.

    CVE-2022-1050

        A flaw was found in the QEMU implementation of VMWare's         paravirtual RDMA device. This flaw allows a crafted guest driver         to execute HW commands when shared buffers are not yet allocated,         potentially leading to a use-after-free condition.
        Note: PVRDMA is disabled in buster, but this was fixed         preventively in case this changes in the future.

    For Debian 10 buster, these problems have been fixed in version     1:3.1+dfsg-8+deb10u10.

    We recommend that you upgrade your qemu packages.

    For the detailed security status of qemu please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/qemu

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
211221	Fedora 37 : qemu (2022-22b1f8dae2)	Nessus	Fedora Local Security Checks	medium
205306	GLSA-202408-18 : QEMU: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
187683	Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : QEMU vulnerabilities (USN-6567-1)	Nessus	Ubuntu Local Security Checks	high
176865	EulerOS Virtualization 2.11.1 : qemu (EulerOS-SA-2023-2082)	Nessus	Huawei Local Security Checks	high
176798	EulerOS Virtualization 2.11.0 : qemu (EulerOS-SA-2023-2134)	Nessus	Huawei Local Security Checks	high
173375	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : qemu (SUSE-SU-2023:0879-1)	Nessus	SuSE Local Security Checks	medium
173215	SUSE SLES15 Security Update : qemu (SUSE-SU-2023:0840-1)	Nessus	SuSE Local Security Checks	high
172642	SUSE SLES12 Security Update : qemu (SUSE-SU-2023:0761-1)	Nessus	SuSE Local Security Checks	high
172554	Debian dla-3362 : qemu - security update	Nessus	Debian Local Security Checks	high
169867	EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2023-1212)	Nessus	Huawei Local Security Checks	high
169814	EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2023-1242)	Nessus	Huawei Local Security Checks	high
169488	EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-2925)	Nessus	Huawei Local Security Checks	high
169363	EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-2951)	Nessus	Huawei Local Security Checks	high

Detections

Analytics

CVE-2020-14394

low

Tenable Plugins

medium

high

high

high

high

medium

high

high

high

high

high

high

high