CVE-2015-7504

HIGH

QEMU < 2.4.1 - Heap-Based Buffer Overflow in pcnet_receive

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7504. PoCs published by codecat007.

AI-analyzed exploit summary This is a functional exploit for CVE-2015-7504, targeting a QEMU virtual machine escape vulnerability via the PCNET network device. The code includes memory manipulation and CRC patching to achieve arbitrary code execution on the host.

Description

Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.

Exploits (1)

github WORKING POC 8 stars

by codecat007 · cpoc

https://github.com/codecat007/cvehub/tree/main/android/kernel/vm-escape-qemu-case-study/vm_escape/cve-2015-7504.c

View Code ZIP pw:eip

This is a functional exploit for CVE-2015-7504, targeting a QEMU virtual machine escape vulnerability via the PCNET network device. The code includes memory manipulation and CRC patching to achieve arbitrary code execution on the host.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: QEMU (PCNET network device)

No auth needed

Prerequisites: Access to QEMU guest with PCNET device · Kernel memory access privileges

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (13)

Core 13

Core References

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-2694.html

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3469

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3470

Patch, Third Party Advisory, VDB Entry vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201604-03

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3471

Patch, Third Party Advisory, VDB Entry vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201602-01

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-2696.html

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-2695.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1034268

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/78227

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2015/11/30/2

Mitigation, Patch, Vendor Advisory x_refsource_confirm

http://xenbits.xen.org/xsa/advisory-162.html

Scores

CVSS v3 8.8

EPSS 0.0047

EPSS Percentile 65.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (5)

debian/debian_linux 7.0

debian/debian_linux 8.0

qemu/qemu 2.5.0 rc0 (3 CPE variants)

qemu/qemu < 2.4.1

xen/xen

Published Oct 16, 2017

Tracked Since Feb 18, 2026