CVE-2015-3214

Linux kernel <2.6.33 & QEMU <2.3.1 - Use After Free

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-3214. PoCs published by Google Security Research.

AI-analyzed exploit summary The exploit targets a heap overflow and information disclosure vulnerability in QEMU's programmable interrupt timer (PIT) controller. By manipulating the channel index, it reads and writes out-of-bounds memory, potentially leaking host data or corrupting heap structures.

Description

The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdosmultiple

https://www.exploit-db.com/exploits/37990

View Code ZIP pw:eip

The exploit targets a heap overflow and information disclosure vulnerability in QEMU's programmable interrupt timer (PIT) controller. By manipulating the channel index, it reads and writes out-of-bounds memory, potentially leaking host data or corrupting heap structures.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: QEMU (versions prior to fix for CVE-2015-3214)

No auth needed

Prerequisites: Guest VM execution context (Ring-0) · Access to PIT I/O ports

MITRE ATT&CK

T1006 - Direct Volume Access T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17

Core References

Mailing List mailing-list x_refsource_mlist

https://www.mail-archive.com/qemu-devel%40nongnu.org/msg304138.html

Third Party Advisory x_refsource_confirm

https://support.lenovo.com/product_security/qemu

Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1229640

Third Party Advisory x_refsource_confirm

https://support.lenovo.com/us/en/product_security/qemu

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37990/

Issue Tracking, Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201510-02

Patch, Third Party Advisory x_refsource_confirm

https://github.com/torvalds/linux/commit/ee73f656a604d5aa9df86a97102e4e462dd79924

View Patch ZIP pw:eip

Issue Tracking, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2015/dsa-3348

Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1508.html

Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1507.html

Broken Link, Vendor Advisory x_refsource_confirm

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.33

Patch, Vendor Advisory x_refsource_confirm

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-1512.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032598

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/75273

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2015/06/25/7

Third Party Advisory x_refsource_misc

https://www.arista.com/en/support/advisories-notices/security-advisories/1180-security-advisory-13

Scores

EPSS 0.0159

EPSS Percentile 72.5%

Details

CWE

CWE-119

Status published

Products (50)

arista/eos 4.12

arista/eos 4.13

arista/eos 4.14

arista/eos 4.15

debian/debian_linux 7.0

debian/debian_linux 8.0

lenovo/emc_px12-400r_ivx < 1.0.10.33264

lenovo/emc_px12-450r_ivx < 1.0.10.33264

linux/linux_kernel < 2.6.32

qemu/qemu < 2.3.0

... and 40 more

Published Aug 31, 2015

Tracked Since Feb 18, 2026