Jason Wang

7 exploits Active since Oct 2015
CVE-2022-26353 WRITEUP HIGH WRITEUP
QEMU 6.2.0 - Memory Leak via Virtio-Net Device Error Handling
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
CVSS 7.5
CVE-2022-2962 WRITEUP HIGH WRITEUP
QEMU 4.2.0-7.0.0 - Denial of Service via Tulip DMA Reentrancy
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVSS 7.8
CVE-2013-2016 WRITEUP HIGH WRITEUP
qemu 1.3.0-1.4.2 - Privilege Escalation via Virtio Device Config Space Address Validation
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
CVSS 7.8
CVE-2015-5156 WRITEUP WRITEUP
Linux Kernel < 4.2 - Denial of Service via Virtio Net FRAGLIST Feature
The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
CVE-2019-13164 WRITEUP HIGH WRITEUP
QEMU 3.1 and 4.0.0 - ACL Bypass via Oversized Network Interface Name
qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
CVSS 7.8
CVE-2021-20257 WRITEUP MEDIUM WRITEUP
QEMU < 6.2.0 - Denial of Service via e1000 NIC Emulator Infinite Loop
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS 6.5
CVE-2021-3748 WRITEUP HIGH WRITEUP
QEMU 0.10.0-6.1.0 - Use-After-Free in virtio-net Descriptor Handling
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
CVSS 7.5