[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-MGASA-2024-0387":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":46,"duplicates":47,"related":48,"reserved_at":9,"published_at":65,"modified_at":66,"state":9,"summary":67,"references_raw":69,"kevs":102,"epss":9,"epss_history":103,"metrics":104,"affected":105},"MGASA-2024-0387","Updated qemu packages fix security vulnerabilities\n\nA flaw was found in the QEMU implementation of VMWare's paravirtual RDMA\ndevice. This flaw allows a crafted guest driver to allocate and\ninitialize a huge number of page tables to be used as a ring of\ndescriptors for CQ and async events, potentially leading to an\nout-of-bounds read and crash of QEMU. (CVE-2023-1544)\nA DMA reentrancy issue leading to a use-after-free error was found in\nthe e1000e NIC emulation code in QEMU. This issue could allow a\nprivileged guest user to crash the QEMU process on the host, resulting\nin a denial of service. (CVE-2023-3019)\nA flaw was found in the QEMU built-in VNC server while processing\nClientCutText messages. A wrong exit condition may lead to an infinite\nloop when inflating an attacker controlled zlib buffer in the\n`inflate_buffer` function. This could allow a remote authenticated\nclient who is able to send a clipboard to the VNC server to trigger a\ndenial of service. (CVE-2023-3255)\nA bug in QEMU could cause a guest I/O operation otherwise addressed to\nan arbitrary disk offset to be targeted to offset 0 instead (potentially\noverwriting the VM's boot code). This could be used, for example, by L2\nguests with a virtual disk (vdiskL2) stored on a virtual disk of an L1\n(vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1,\npotentially gaining control of L1 at its next reboot. (CVE-2023-5088)\nA flaw was found in the QEMU built-in VNC server while processing\nClientCutText messages. The qemu_clipboard_request() function can be\nreached before vnc_server_cut_text_caps() was called and had the chance\nto initialize the clipboard peer, leading to a NULL pointer dereference.\nThis could allow a malicious authenticated VNC client to crash QEMU and\ntrigger a denial of service. (CVE-2023-6683)\nA stack based buffer overflow was found in the virtio-net device of\nQEMU. This issue occurs when flushing TX in the virtio_net_flush_tx\nfunction if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1\nand VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious\nuser to overwrite local variables allocated on the stack. Specifically,\nthe `out_sg` variable could be used to read a part of process memory and\nsend it to the wire, causing an information leak. (CVE-2023-6693)\nQEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset\nin hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not\nprevent s->qdev.blocksize from being 256. This stops QEMU and the guest\nimmediately. (CVE-2023-42467)\nQEMU before 8.2.0 has an integer underflow, and resultant buffer\noverflow, via a TI command when an expected non-DMA transfer length is\nless than the length of the available FIFO data. This occurs in\nesp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.\n(CVE-2024-24474)\nAn issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in\nhw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs\ngreater than TotalVFs, leading to a buffer overflow in VF\nimplementations. (CVE-2024-26327)\nAn issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in\nhw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus\ninteraction with hw/nvme/ctrl.c is mishandled. (CVE-2024-26328)\nA double free vulnerability was found in QEMU virtio devices\n(virtio-gpu, virtio-serial-bus, virtio-crypto), where the\nmem_reentrancy_guard flag insufficiently protects against DMA reentrancy\nissues. This issue could allow a malicious privileged guest user to\ncrash the QEMU process on the host, resulting in a denial of service or\nallow arbitrary code execution within the context of the QEMU process on\nthe host. (CVE-2024-3446)\nA heap-based buffer overflow was found in the SDHCI device emulation of\nQEMU. The bug is triggered when both `s->data_count` and the size of\n`s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A\nmalicious guest could use this flaw to crash the QEMU process on the\nhost, resulting in a denial of service condition. (CVE-2024-3447)\nA flaw was found in the QEMU disk image utility (qemu-img) 'info'\ncommand. A specially crafted image file containing a `json:{}` value\ndescribing block devices in QMP could cause the qemu-img process on the\nhost to consume large amounts of memory or CPU time, leading to denial\nof service or read/write to an existing external file. (CVE-2024-4467)\nA flaw was found in the QEMU NBD Server. This vulnerability allows a\ndenial of service (DoS) attack via improper synchronization during\nsocket closure when a client keeps a socket open as the server is taken\noffline. (CVE-2024-7409)\nA flaw was found in QEMU. An assertion failure was present in the\nusb_ep_get() function in hw/net/core.c when trying to get the USB\nendpoint from a USB device. This flaw may allow a malicious unprivileged\nguest user to crash the QEMU process on the host and cause a denial of\nservice condition. (CVE-2024-8354)\nA flaw was found in QEMU, in the virtio-scsi, virtio-blk, and\nvirtio-crypto devices. The size for virtqueue_push as set in\nvirtio_scsi_complete_req / virtio_blk_req_complete /\nvirito_crypto_req_complete could be larger than the true size of the\ndata which has been sent to guest. Once virtqueue_push() finally calls\ndma_memory_unmap to ummap the in_iov, it may call the\naddress_space_write function to write back the data. Some uninitialized\ndata may exist in the bounce.buffer, leading to an information leak.\n(CVE-2024-8612)\n",null,[],[],[],[14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44],{"_key":15},"CVE-2023-1544",{"_key":17},"CVE-2023-3019",{"_key":19},"CVE-2023-3255",{"_key":21},"CVE-2023-5088",{"_key":23},"CVE-2023-6683",{"_key":25},"CVE-2023-6693",{"_key":27},"CVE-2023-42467",{"_key":29},"CVE-2024-24474",{"_key":31},"CVE-2024-26327",{"_key":33},"CVE-2024-26328",{"_key":35},"CVE-2024-3446",{"_key":37},"CVE-2024-3447",{"_key":39},"CVE-2024-4467",{"_key":41},"CVE-2024-7409",{"_key":43},"CVE-2024-8354",{"_key":45},"CVE-2024-8612",[],[],[49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64],{"_key":15},{"_key":17},{"_key":19},{"_key":27},{"_key":21},{"_key":23},{"_key":25},{"_key":29},{"_key":31},{"_key":33},{"_key":35},{"_key":37},{"_key":39},{"_key":41},{"_key":43},{"_key":45},"2024-12-04T16:58:15Z","2026-04-16T04:21:41.989423Z",{"cisa_kev":68,"cisa_ransomware":68,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[70,76,81,86,90,94,98],{"url":71,"sources":72,"tags":74},"https://advisories.mageia.org/MGASA-2024-0387.html",[73],"osv_mageia",[75],"Advisory",{"url":77,"sources":78,"tags":79},"https://bugs.mageia.org/show_bug.cgi?id=33074",[73],[80],"REPORT",{"url":82,"sources":83,"tags":84},"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ES5DXAAMYUC767MUW4BPRP6ZPDL6SUW6/",[73],[80,85],"WEB",{"url":87,"sources":88,"tags":89},"https://lists.suse.com/pipermail/sle-updates/2024-April/035064.html",[73],[80,85],{"url":91,"sources":92,"tags":93},"https://lwn.net/Articles/971720/",[73],[80,85],{"url":95,"sources":96,"tags":97},"https://lists.suse.com/pipermail/sle-updates/2024-August/036644.html",[73],[80,85],{"url":99,"sources":100,"tags":101},"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HL7L7OSCUZ44UAQCOB6IUOFBWKV6ECP2/",[73],[80,85],[],[],[],[106],{"ecosystem":107,"name":108,"vendor":109,"product":108,"cpe_part":9,"purl_type":110,"purl_namespace":109,"purl_name":108,"source":9,"versions":111},"Mageia","qemu","mageia","rpm",[112],{"version":113,"is_range":114,"range_type":115,"version_start":9,"version_start_type":9,"version_end":116,"version_end_type":117,"fixed_in":9},"lt7_2_15_1_mga9",true,"ecosystem","7.2.15-1.mga9","excluding"]