CVE-2015-8701

EUVD-2015-8578
QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Affected Products (NVD)
VendorProductVersion
qemuqemu
𝑥
≤ 2.5.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bookworm
1:7.2+dfsg-7+deb12u7
fixed
bullseye
1:5.2+dfsg-11+deb11u3
fixed
bullseye (security)
1:5.2+dfsg-11+deb11u2
fixed
jessie
not-affected
sid
1:9.1.1+ds-2
fixed
squeeze
not-affected
trixie
1:9.1.1+ds-2
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
precise
dne
trusty
not-affected
vivid
not-affected
wily
not-affected
qemu-kvm
precise
not-affected
trusty
dne
vivid
dne
wily
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2015/12/28/6
http://www.openwall.com/lists/oss-security/2015/12/29/1
http://www.securityfocus.com/bid/79706
https://bugzilla.redhat.com/show_bug.cgi?id=1286971
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html
https://security.gentoo.org/glsa/201602-01
http://www.openwall.com/lists/oss-security/2015/12/28/6
http://www.openwall.com/lists/oss-security/2015/12/29/1
http://www.securityfocus.com/bid/79706
https://bugzilla.redhat.com/show_bug.cgi?id=1286971
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html
https://security.gentoo.org/glsa/201602-01