Paolo Bonzini

13 exploits Active since Jul 2012
CVE-2011-3346 WRITEUP WRITEUP
QEMU < 0.15.2 - Denial of Service via Crafted SAI READ CAPACITY SCSI Command
Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.
CVE-2011-4127 WRITEUP WRITEUP
Linux kernel <3.2.2 - Privilege Escalation
The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl calls, which allows local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume.
CVE-2019-6974 WRITEUP HIGH WRITEUP
Linux kernel <4.20.8 - Use After Free
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
CVSS 8.1
CVE-2022-0216 WRITEUP MEDIUM WRITEUP
QEMU < 6.0.0 - Use-After-Free in LSI53C895A SCSI Host Bus Adapter Emulation
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
CVSS 4.4
CVE-2023-42467 WRITEUP MEDIUM WRITEUP
QEMU < 8.0.0 - Denial of Service via Division by Zero in SCSI Disk Reset
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
CVSS 5.5
CVE-2015-4692 WRITEUP WRITEUP
Linux Kernel < 4.1.3 - Denial of Service via KVM APIC Events Handling
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.
CVE-2015-5307 WRITEUP WRITEUP
Linux kernel <4.2.6 & Xen 4.3.x-4.6.x - DoS
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.
CVE-2021-38198 WRITEUP MEDIUM WRITEUP
Linux kernel <5.12.11 - Privilege Escalation
arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.
CVSS 5.5
CVE-2022-1263 WRITEUP MEDIUM WRITEUP
Linux Kernel < 5.18 - Denial of Service via KVM vCPU Dirty Ring Release
A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
CVSS 5.5
CVE-2022-2153 WRITEUP MEDIUM WRITEUP
Linux Kernel < 5.18 - Denial of Service via KVM SynIC IRQ NULL Pointer Dereference
A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
CVSS 5.5
CVE-2022-39189 WRITEUP HIGH WRITEUP
Linux Kernel <5.18.17 - Privilege Escalation
An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.
CVSS 7.8
CVE-2023-1513 WRITEUP LOW WRITEUP
Linux Kernel < 6.2 - Information Disclosure via KVM_GET_DEBUGREGS Uninitialized Memory
A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.
CVSS 3.3
CVE-2023-30456 WRITEUP MEDIUM WRITEUP
Linux Kernel < 6.2.8 - Improper Check for Unusual or Exceptional Conditions in nVMX CR0 and CR4 Handling
An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.
CVSS 6.5