CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
80.5%
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was
found to be vulnerable to an unbounded memory allocation issue, as it did
not throttle the framebuffer updates sent to its client. If the client did
not consume these updates, VNC server allocates growing memory to hold onto
this data. A malicious remote VNC client could use this flaw to cause DoS
to the server host.
Author | Note |
---|---|
mdeslaur | complex backport, not going to fix this in xenial and earlier |
www.openwall.com/lists/oss-security/2017/12/19/4
launchpad.net/bugs/cve/CVE-2017-15124
lists.gnu.org/archive/html/qemu-devel/2017-12/msg03705.html
lists.gnu.org/archive/html/qemu-devel/2017-12/msg03711.html
lists.gnu.org/archive/html/qemu-devel/2017-12/msg03713.html
lists.gnu.org/archive/html/qemu-devel/2017-12/msg03715.html
nvd.nist.gov/vuln/detail/CVE-2017-15124
security-tracker.debian.org/tracker/CVE-2017-15124
ubuntu.com/security/notices/USN-3575-1
www.cve.org/CVERecord?id=CVE-2017-15124
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
80.5%