Jason Wang

7 exploits Active since Oct 2015
CVE-2022-26353 WRITEUP HIGH WRITEUP
QEMU <6.2.0 - Memory Corruption
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
CVSS 7.5
CVE-2022-2962 WRITEUP HIGH WRITEUP
Qemu < 7.1.0 - Denial of Service
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVSS 7.8
CVE-2013-2016 WRITEUP HIGH WRITEUP
Qemu < 1.4.2 - Improper Privilege Management
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
CVSS 7.8
CVE-2015-5156 WRITEUP WRITEUP
Linux Kernel < 4.1.10 - Memory Corruption
The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
CVE-2019-13164 WRITEUP HIGH WRITEUP
QEMU <4.0.0 - Privilege Escalation
qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
CVSS 7.8
CVE-2021-20257 WRITEUP MEDIUM WRITEUP
Qemu < 6.2.0 - Infinite Loop
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS 6.5
CVE-2021-3748 WRITEUP HIGH WRITEUP
QEMU - Use After Free
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
CVSS 7.5