CVE-2013-4377

Severity

23%

Complexity

44%

Confidentiality

48%

Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.

Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.

CVSS 2.0 Base Score 2.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:S/C:N/I:N/A:P).

Overview

Type

QEMU

First reported 11 years ago

2013-10-11 22:55:00

Last updated 10 years ago

2014-03-06 04:47:00

Affected Software

QEMU 1.4.0

1.4.0

QEMU 1.4.1

1.4.1

QEMU 1.4.2

1.4.2

QEMU 1.5.0

1.5.0

QEMU 1.5.0 release candidate 1

1.5.0

QEMU 1.5.0 release candidate 2

1.5.0

QEMU 1.5.0 release candidate 3

1.5.0

QEMU 1.5.1

1.5.1

QEMU 1.5.2

1.5.2

QEMU 1.5.3

1.5.3

QEMU 1.6.0

1.6.0

QEMU 1.6.0 release candidate 1

1.6.0

QEMU 1.6.0 release candidate 2

1.6.0

QEMU 1.6.0 release candidate 3

1.6.0

References

[Qemu-devel] 20130920 [PATCH 11/11] virtio-pci: add device_unplugged callback

Patch

55015

Vendor Advisory

[oss-security] 20130926 Re: CVE request: qemu host crash from within guest

USN-2092-1

https://bugzilla.redhat.com/show_bug.cgi?id=1012633

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.