#VU11233 Out-of-bounds read in QEMU - CVE-2017-16845
Vulnerability identifier: #VU11233
Vulnerability risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
QEMU
Client/Desktop applications /
Virtualization software
Vendor: QEMU
Description
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists due to out-of-bounds read. A remote attacker can cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Update to version 2.11.1 or later.
Vulnerable software versions
QEMU: 2.8.0 - 2.11.0
External links
https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
