The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.
The product reads data past the end, or before the beginning, of the intended buffer.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Qemu | Qemu | * | 2.11.1 (including) |
Red Hat Enterprise Linux 7 | RedHat | qemu-kvm-10:1.5.3-156.el7_5.5 | * |
Red Hat OpenStack Platform 10.0 (Newton) | RedHat | qemu-kvm-rhev-10:2.10.0-21.el7_5.3 | * |
Red Hat OpenStack Platform 12.0 (Pike) | RedHat | qemu-kvm-rhev-10:2.10.0-21.el7_5.3 | * |
Red Hat OpenStack Platform 8.0 (Liberty) | RedHat | qemu-kvm-rhev-10:2.10.0-21.el7_5.3 | * |
Red Hat OpenStack Platform 9.0 (Mitaka) | RedHat | qemu-kvm-rhev-10:2.10.0-21.el7_5.3 | * |
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | qemu-kvm-rhev-10:2.10.0-21.el7_5.2 | * |
Qemu | Ubuntu | artful | * |
Qemu | Ubuntu | bionic | * |
Qemu | Ubuntu | cosmic | * |
Qemu | Ubuntu | devel | * |
Qemu | Ubuntu | disco | * |
Qemu | Ubuntu | eoan | * |
Qemu | Ubuntu | esm-infra-legacy/trusty | * |
Qemu | Ubuntu | esm-infra/bionic | * |
Qemu | Ubuntu | esm-infra/focal | * |
Qemu | Ubuntu | esm-infra/xenial | * |
Qemu | Ubuntu | focal | * |
Qemu | Ubuntu | groovy | * |
Qemu | Ubuntu | hirsute | * |
Qemu | Ubuntu | trusty | * |
Qemu | Ubuntu | trusty/esm | * |
Qemu | Ubuntu | xenial | * |
Qemu-kvm | Ubuntu | precise/esm | * |