CVE-2015-5165

Xen < 4.5.0 - Uninitialized Memory Exposure via RTL8139 C+ Mode Offload Emulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-5165. PoCs published by codecat007.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2015-5165, a QEMU virtual machine escape vulnerability. The code demonstrates memory corruption via the RTL8139 network device emulation to achieve arbitrary code execution on the host.

Description

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

Exploits (1)

github WORKING POC 8 stars
by codecat007 · cpoc
https://github.com/codecat007/cvehub/tree/main/android/kernel/vm-escape-qemu-case-study/vm_escape/cve-2015-5165.c

This repository contains a functional exploit PoC for CVE-2015-5165, a QEMU virtual machine escape vulnerability. The code demonstrates memory corruption via the RTL8139 network device emulation to achieve arbitrary code execution on the host.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: QEMU (version with RTL8139 emulation vulnerable to CVE-2015-5165)
No auth needed
Prerequisites: Access to a QEMU guest with RTL8139 network device emulation · Ability to send crafted network packets to the device
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (19)

Core 19
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033176
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3348
Broken Link, Third Party Advisory x_refsource_confirm
http://support.citrix.com/article/CTX201717
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1683.html
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1793.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3349
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1833.html
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00018.html
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1740.html
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1739.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76153
Patch, Vendor Advisory x_refsource_confirm
http://xenbits.xen.org/xsa/advisory-140.html
Issue Tracking, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1674.html

Scores

EPSS 0.1149
EPSS Percentile 93.8%

Details

CWE
CWE-908
Status published
Products (50)
arista/eos 4.12
arista/eos 4.13
arista/eos 4.14
arista/eos 4.15
debian/debian_linux 7.0
debian/debian_linux 8.0
fedoraproject/fedora 21
fedoraproject/fedora 22
oracle/linux 7 0
redhat/enterprise_linux_compute_node_eus 7.1
... and 40 more
Published Aug 12, 2015
Tracked Since Feb 18, 2026