CVE-2015-3456
QEMU < 2.3.0 - Memory Corruption via Floppy Disk Controller Commands
Title source: llmExploitation Summary
EIP tracks 3 public exploits for CVE-2015-3456. PoCs published by Marcus Meissner, vincentbernat, orf53975.
AI-analyzed exploit summary This exploit targets a vulnerability in the Linux kernel's floppy disk driver (CVE-2015-3456) by sending repeated commands to the floppy disk controller, causing a denial-of-service condition. The code uses direct I/O port access to manipulate the floppy disk controller.
Description
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
Exploits (3)
exploitdb
WORKING POC
by Marcus Meissner · cdosmultiple
https://www.exploit-db.com/exploits/37053
This exploit targets a vulnerability in the Linux kernel's floppy disk driver (CVE-2015-3456) by sending repeated commands to the floppy disk controller, causing a denial-of-service condition. The code uses direct I/O port access to manipulate the floppy disk controller.
Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target:
Linux kernel (floppy disk driver)
No auth needed
Prerequisites:
Direct hardware access (requires root privileges)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
nomisec
WORKING POC
12 stars
by vincentbernat · poc
https://github.com/vincentbernat/cve-2015-3456
This repository contains a proof-of-concept exploit for CVE-2015-3456 (VENOM), which targets a buffer overflow vulnerability in QEMU's floppy disk controller. The exploit crashes QEMU by sending malformed commands to the FDC I/O port.
Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target:
QEMU (versions prior to fix for CVE-2015-3456)
No auth needed
Prerequisites:
Access to the QEMU floppy disk controller I/O port (0x3f5)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
nomisec
WORKING POC
by orf53975 · poc
https://github.com/orf53975/poisonfrog
This PoC exploits CVE-2015-3456 (VENOM) by sending malicious commands to the floppy disk controller (FDC) via port 0x3f5, triggering a buffer overflow in QEMU's virtual FDC. The exploit leverages the `outb` instruction to push data into the FDC, potentially leading to code execution in the host from the guest.
Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:
QEMU (versions prior to 2.3.0)
No auth needed
Prerequisites:
Access to a vulnerable QEMU instance with a virtual floppy disk controller enabled
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (48)
Core 48
Core References
Patch x_refsource_confirm
http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=e907746266721f305d67bc0718795fedee2e824c
Vendor Advisory x_refsource_confirm
https://kb.juniper.net/JSA10783
Vendor Advisory x_refsource_confirm
http://support.citrix.com/article/CTX201078
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/37053/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032306
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00009.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3259
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00021.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00042.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201612-27
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0999.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00018.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1001.html
Mailing List vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=143229451215900&w=2
Various Sources x_refsource_confirm
http://xenbits.xen.org/xsa/advisory-133.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1003.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00013.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032917
Mailing List vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=143387998230996&w=2
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0998.html
Various Sources x_refsource_confirm
https://www.suse.com/security/cve/CVE-2015-3456.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00014.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158072.html
Various Sources x_refsource_confirm
https://bto.bluecoat.com/security-advisory/sa95
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1004.html
Various Sources x_refsource_misc
http://venom.crowdstrike.com/
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1011.html
Various Sources x_refsource_confirm
https://support.lenovo.com/us/en/product_security/venom
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00019.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201604-03
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1002.html
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2608-1
Various Sources x_refsource_confirm
https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00001.html
Vendor Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10693
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032311
Various Sources x_refsource_confirm
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-438937.htm
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3262
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201602-01
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-08/msg00021.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74640
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3274
Vendor Advisory x_refsource_confirm
http://www.fortiguard.com/advisory/2015-05-19-cve-2015-3456-venom-vulnerability
Vendor Advisory x_refsource_confirm
https://access.redhat.com/articles/1444903
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1000.html
Various Sources x_refsource_misc
https://www.arista.com/en/support/advisories-notices/security-advisories/1128-security-advisory-10
Vendor Advisory x_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10118
Scores
EPSS
0.1933
EPSS Percentile
95.5%
Details
CWE
CWE-119
Status
published
Products (10)
qemu/qemu
< 2.3.0
redhat/enterprise_linux
5
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
redhat/enterprise_virtualization
3.0
redhat/openstack
4.0
redhat/openstack
5.0
redhat/openstack
6.0
redhat/openstack
7.0
xen/xen
4.5.0
Published
May 13, 2015
Tracked Since
Feb 18, 2026