[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2018-16872":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":28,"aliases":29,"duplicate_of":9,"upstream":30,"downstream":31,"duplicates":56,"related":57,"reserved_at":9,"published_at":65,"modified_at":66,"state":67,"summary":68,"references_raw":77,"kevs":129,"epss":130,"epss_history":133,"metrics":399,"affected":417},"CVE-2018-16872","A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-367","Time-of-check Time-of-use (TOCTOU) Race Condition","The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.","weakness","Incomplete","Base","Medium",[20,24],{"id":21,"name":22,"techniques":23},"CAPEC-27","Leveraging Race Conditions via Symbolic Links",[],{"id":25,"name":26,"techniques":27},"CAPEC-29","Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions",[],[],[],[],[32,34,36,38,40,42,44,46,48,50,52,54],{"_key":33},"SUSE-SU-2019:0582-1",{"_key":35},"OPENSUSE-SU-2024:11287-1",{"_key":37},"SUSE-SU-2019:0423-1",{"_key":39},"SUSE-SU-2019:0435-1",{"_key":41},"SUSE-SU-2019:0471-1",{"_key":43},"SUSE-SU-2019:0471-2",{"_key":45},"SUSE-SU-2019:0489-1",{"_key":47},"UBUNTU-CVE-2018-16872",{"_key":49},"USN-3923-1",{"_key":51},"DLA-1694-1",{"_key":53},"DSA-4454-1",{"_key":55},"DEBIAN-CVE-2018-16872",[],[58,59,60,61,62,63,64],{"_key":33},{"_key":35},{"_key":37},{"_key":39},{"_key":41},{"_key":43},{"_key":45},"2018-12-13T21:00:00.000Z","2024-08-05T10:32:54.018Z","Modified",{"cisa_kev":69,"cisa_ransomware":69,"cisa_vendor":9,"epss_severity":70,"epss_score":71,"severity":72,"severity_score":73,"severity_version":74,"severity_source":75,"severity_vector":76,"severity_status":67},false,"low",0.00274,"medium",5.3,"v3.1","nvd","CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",[78,86,92,98,103,107,112,117,122],{"url":79,"sources":80,"tags":82},"https://lists.debian.org/debian-lts-announce/2019/02/msg00041.html",[81,75],"cve.org",[83,84,85],"Mailing List","X Refsource MLIST","Third Party Advisory",{"url":87,"sources":88,"tags":89},"http://www.securityfocus.com/bid/106212",[81,75],[90,91,85],"VDB Entry","X Refsource BID",{"url":93,"sources":94,"tags":95},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGCFIFSIWUREEQQOZDZFBYKWZHXCWBZN/",[81,75],[96,97,85],"Vendor Advisory","X Refsource FEDORA",{"url":99,"sources":100,"tags":101},"https://usn.ubuntu.com/3923-1/",[81,75],[96,102,85],"X Refsource UBUNTU",{"url":104,"sources":105,"tags":106},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJMTVGDLA654HNCDGLCUEIP36SNJEKK7/",[81,75],[96,97,85],{"url":108,"sources":109,"tags":110},"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00042.html",[81,75],[96,111,83,85],"X Refsource SUSE",{"url":113,"sources":114,"tags":115},"https://www.debian.org/security/2019/dsa-4454",[81,75],[96,116,85],"X Refsource DEBIAN",{"url":118,"sources":119,"tags":120},"https://seclists.org/bugtraq/2019/May/76",[81,75],[83,121,85],"X Refsource BUGTRAQ",{"url":123,"sources":124,"tags":125},"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16872",[81,75],[126,127,128,85],"X Refsource CONFIRM","Issue Tracking","Patch",[],{"date":131,"score":71,"percentile":132},"2026-06-04",0.51032,[134,138,141,144,147,149,152,155,158,161,165,168,171,174,177,181,184,187,190,193,196,199,202,205,208,211,214,217,220,223,226,228,231,234,237,240,243,246,249,252,255,258,261,264,267,270,273,276,279,282,285,287,289,292,295,298,301,304,307,310,313,316,318,321,324,327,330,333,336,339,342,345,348,351,354,356,359,362,364,367,370,373,376,379,382,385,388,390,393,396],{"date":135,"score":136,"percentile":137},"2025-11-04",0.00265,0.49831,{"date":139,"score":136,"percentile":140},"2025-11-05",0.49819,{"date":142,"score":136,"percentile":143},"2025-11-06",0.4983,{"date":145,"score":136,"percentile":146},"2025-11-07",0.49858,{"date":148,"score":136,"percentile":146},"2025-11-08",{"date":150,"score":136,"percentile":151},"2025-11-09",0.49844,{"date":153,"score":136,"percentile":154},"2025-11-10",0.4981,{"date":156,"score":136,"percentile":157},"2025-11-11",0.49826,{"date":159,"score":136,"percentile":160},"2025-11-12",0.4985,{"date":162,"score":163,"percentile":164},"2025-11-13",0.00255,0.48745,{"date":166,"score":163,"percentile":167},"2025-11-14",0.48758,{"date":169,"score":163,"percentile":170},"2025-11-15",0.48752,{"date":172,"score":163,"percentile":173},"2025-11-16",0.48737,{"date":175,"score":163,"percentile":176},"2025-11-17",0.4871,{"date":178,"score":179,"percentile":180},"2025-11-18",0.00159,0.31381,{"date":182,"score":179,"percentile":183},"2025-11-19",0.31396,{"date":185,"score":179,"percentile":186},"2025-11-20",0.31392,{"date":188,"score":163,"percentile":189},"2025-11-21",0.48704,{"date":191,"score":163,"percentile":192},"2025-11-22",0.48701,{"date":194,"score":163,"percentile":195},"2025-11-23",0.48668,{"date":197,"score":163,"percentile":198},"2025-11-24",0.48654,{"date":200,"score":163,"percentile":201},"2025-11-25",0.48656,{"date":203,"score":163,"percentile":204},"2025-11-26",0.48655,{"date":206,"score":163,"percentile":207},"2025-11-27",0.48661,{"date":209,"score":163,"percentile":210},"2025-11-28",0.48631,{"date":212,"score":163,"percentile":213},"2025-11-29",0.48612,{"date":215,"score":163,"percentile":216},"2025-11-30",0.486,{"date":218,"score":163,"percentile":219},"2025-12-01",0.48755,{"date":221,"score":163,"percentile":222},"2025-12-02",0.48772,{"date":224,"score":163,"percentile":225},"2025-12-03",0.48766,{"date":227,"score":163,"percentile":216},"2025-12-04",{"date":229,"score":163,"percentile":230},"2025-12-05",0.48621,{"date":232,"score":163,"percentile":233},"2025-12-06",0.48622,{"date":235,"score":163,"percentile":236},"2025-12-07",0.48607,{"date":238,"score":163,"percentile":239},"2025-12-08",0.48611,{"date":241,"score":163,"percentile":242},"2025-12-09",0.48633,{"date":244,"score":163,"percentile":245},"2025-12-10",0.48696,{"date":247,"score":163,"percentile":248},"2025-12-11",0.48711,{"date":250,"score":163,"percentile":251},"2025-12-12",0.48734,{"date":253,"score":163,"percentile":254},"2025-12-13",0.48718,{"date":256,"score":163,"percentile":257},"2025-12-14",0.48705,{"date":259,"score":163,"percentile":260},"2025-12-15",0.48689,{"date":262,"score":163,"percentile":263},"2025-12-16",0.48698,{"date":265,"score":163,"percentile":266},"2025-12-17",0.4872,{"date":268,"score":163,"percentile":269},"2025-12-18",0.48759,{"date":271,"score":163,"percentile":272},"2025-12-19",0.48765,{"date":274,"score":163,"percentile":275},"2025-12-20",0.48742,{"date":277,"score":163,"percentile":278},"2025-12-21",0.48715,{"date":280,"score":163,"percentile":281},"2025-12-22",0.48695,{"date":283,"score":163,"percentile":284},"2025-12-23",0.48692,{"date":286,"score":163,"percentile":189},"2025-12-24",{"date":288,"score":163,"percentile":219},"2025-12-25",{"date":290,"score":163,"percentile":291},"2025-12-26",0.48744,{"date":293,"score":163,"percentile":294},"2025-12-27",0.48767,{"date":296,"score":163,"percentile":297},"2025-12-28",0.48683,{"date":299,"score":163,"percentile":300},"2025-12-29",0.48665,{"date":302,"score":163,"percentile":303},"2025-12-30",0.4866,{"date":305,"score":163,"percentile":306},"2025-12-31",0.48699,{"date":308,"score":163,"percentile":309},"2026-01-01",0.48864,{"date":311,"score":163,"percentile":312},"2026-01-02",0.48845,{"date":314,"score":163,"percentile":315},"2026-01-03",0.48833,{"date":317,"score":163,"percentile":198},"2026-01-04",{"date":319,"score":163,"percentile":320},"2026-01-05",0.48639,{"date":322,"score":71,"percentile":323},"2026-01-06",0.50501,{"date":325,"score":71,"percentile":326},"2026-01-07",0.50518,{"date":328,"score":71,"percentile":329},"2026-01-08",0.50542,{"date":331,"score":71,"percentile":332},"2026-01-09",0.50525,{"date":334,"score":71,"percentile":335},"2026-01-10",0.50523,{"date":337,"score":71,"percentile":338},"2026-01-11",0.50503,{"date":340,"score":71,"percentile":341},"2026-01-12",0.50459,{"date":343,"score":71,"percentile":344},"2026-01-13",0.50434,{"date":346,"score":71,"percentile":347},"2026-01-14",0.50484,{"date":349,"score":71,"percentile":350},"2026-01-15",0.50487,{"date":352,"score":71,"percentile":353},"2026-01-16",0.50507,{"date":355,"score":71,"percentile":350},"2026-01-17",{"date":357,"score":71,"percentile":358},"2026-01-18",0.50464,{"date":360,"score":71,"percentile":361},"2026-01-19",0.5044,{"date":363,"score":71,"percentile":361},"2026-01-20",{"date":365,"score":71,"percentile":366},"2026-01-21",0.50441,{"date":368,"score":71,"percentile":369},"2026-01-22",0.50448,{"date":371,"score":71,"percentile":372},"2026-01-23",0.50498,{"date":374,"score":71,"percentile":375},"2026-01-24",0.50504,{"date":377,"score":71,"percentile":378},"2026-01-25",0.50456,{"date":380,"score":71,"percentile":381},"2026-01-26",0.5043,{"date":383,"score":71,"percentile":384},"2026-01-27",0.50436,{"date":386,"score":71,"percentile":387},"2026-01-28",0.50449,{"date":389,"score":71,"percentile":369},"2026-01-29",{"date":391,"score":71,"percentile":392},"2026-01-30",0.50451,{"date":394,"score":71,"percentile":395},"2026-01-31",0.50458,{"date":397,"score":71,"percentile":398},"2026-02-01",0.5059,[400,407],{"source":81,"cvss_v2_0":9,"cvss_v3_0":401,"cvss_v3_1":9,"cvss_v4_0":9},{"baseScore":402,"baseSeverity":403,"vectorString":404,"impactScore":405,"exploitabilityScore":406},5,"MEDIUM","CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",6.2,2.1,{"source":75,"cvss_v2_0":408,"cvss_v3_0":413,"cvss_v3_1":414,"cvss_v4_0":9},{"baseScore":409,"baseSeverity":9,"vectorString":410,"impactScore":411,"exploitabilityScore":412},3.5,"AV:N/AC:M/Au:S/C:P/I:N/A:N",2.9,6.8,{"baseScore":402,"baseSeverity":403,"vectorString":404,"impactScore":405,"exploitabilityScore":406},{"baseScore":73,"baseSeverity":403,"vectorString":76,"impactScore":415,"exploitabilityScore":416},6,4.1,[418,433,442,450,456,465],{"ecosystem":9,"name":419,"vendor":420,"product":421,"cpe_part":422,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":423},"ubuntu linux","canonical","ubuntu_linux","o",[424,427,429,431],{"version":425,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"14.04","cpe",{"version":428,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"16.04",{"version":430,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"18.04",{"version":432,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"18.10",{"ecosystem":9,"name":434,"vendor":435,"product":436,"cpe_part":422,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":437},"debian linux","debian","debian_linux",[438,440],{"version":439,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0",{"version":441,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"9.0",{"ecosystem":9,"name":443,"vendor":444,"product":443,"cpe_part":422,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":445},"fedora","fedoraproject",[446,448],{"version":447,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"29",{"version":449,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"30",{"ecosystem":9,"name":451,"vendor":452,"product":451,"cpe_part":422,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":453},"leap","opensuse",[454],{"version":455,"is_range":69,"range_type":426,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"42.3",{"ecosystem":9,"name":457,"vendor":457,"product":457,"cpe_part":458,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":459},"qemu","a",[460],{"version":461,"is_range":462,"range_type":426,"version_start":9,"version_start_type":9,"version_end":463,"version_end_type":464,"fixed_in":9},"lte3.1.0",true,"3.1.0","including",{"ecosystem":9,"name":466,"vendor":467,"product":468,"cpe_part":458,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":469},"QEMU:","[unknown]","qemu:",[470],{"version":471,"is_range":69,"range_type":81,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"n/a"]