CVE-2020-14364

MEDIUM

QEMU < 5.2.0 - Out-of-bounds Read/Write in USB Emulator

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-14364. PoCs published by gejian-iscas, y-f00l.

AI-analyzed exploit summary This PoC exploits CVE-2020-14364, a memory leak vulnerability in the Linux kernel's USB subsystem, to leak kernel memory addresses. It uses MMIO operations and USB device manipulation to trigger the vulnerability and extract sensitive information.

Description

An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.

Exploits (2)

nomisec WORKING POC 2 stars
by gejian-iscas · poc
https://github.com/gejian-iscas/CVE-2020-14364

This PoC exploits CVE-2020-14364, a memory leak vulnerability in the Linux kernel's USB subsystem, to leak kernel memory addresses. It uses MMIO operations and USB device manipulation to trigger the vulnerability and extract sensitive information.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Access to the target system's USB subsystem · Ability to execute code with sufficient privileges to perform MMIO operations
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by y-f00l · poc
https://github.com/y-f00l/CVE-2020-14364

This is a Linux kernel module exploit for CVE-2020-14364, targeting a use-after-free vulnerability in the UHCI USB controller emulation in QEMU. The exploit leverages DMA operations to achieve arbitrary read/write primitives and ultimately executes a system() call via a fake timer structure.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: QEMU (with UHCI USB controller emulation)
No auth needed
Prerequisites: Linux kernel module loading capabilities · QEMU with UHCI USB controller emulation enabled
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1869201
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/08/24/3
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/08/24/2
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4760
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/09/msg00013.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4511-1/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200924-0006/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202009-14
Broken Link, Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00024.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202011-09

Scores

CVSS v3 5.0
EPSS 0.0545
EPSS Percentile 91.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

Details

CWE
CWE-125 CWE-787
Status published
Products (14)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 20.04
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
opensuse/leap 15.2
qemu/qemu < 5.2.0
redhat/enterprise_linux 6.0
... and 4 more
Published Aug 31, 2020
Tracked Since Feb 18, 2026