Arbitrary Code Execution

2020-04-1001:07:04

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.051 Low

EPSS

Percentile

93.0%

JSON

qemu-kvm is vulnerable to arbitrary code execution. The vulnerability exists as a flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID (Chip/Smart Card Interface Devices) USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.

CPENameOperatorVersion
qemu-kvmeq0.12.1.2__2.160.el6_1.6
qemu-kvmeq0.12.1.2__2.160.el6_1.2
qemu-kvmeq0.12.1.2__2.113.el6_0.6
qemu-kvmeq0.12.1.2__2.160.el6_1.3
qemu-kvmeq0.12.1.2__2.113.el6_0.3
qemu-kvmeq0.12.1.2__2.160.el6_1.9
qemu-kvmeq0.12.1.2__2.160.el6
qemu-kvmeq0.12.1.2__2.113.el6_0.8
qemu-kvmeq0.12.1.2__2.113.el6
qemu-kvmeq0.12.1.2__2.160.el6_1.8

Name	Operator	Version
qemu-kvm	eq	0.12.1.2__2.160.el6_1.6
qemu-kvm	eq	0.12.1.2__2.160.el6_1.2
qemu-kvm	eq	0.12.1.2__2.113.el6_0.6
qemu-kvm	eq	0.12.1.2__2.160.el6_1.3
qemu-kvm	eq	0.12.1.2__2.113.el6_0.3
qemu-kvm	eq	0.12.1.2__2.160.el6_1.9
qemu-kvm	eq	0.12.1.2__2.160.el6
qemu-kvm	eq	0.12.1.2__2.113.el6_0.8
qemu-kvm	eq	0.12.1.2__2.113.el6
qemu-kvm	eq	0.12.1.2__2.160.el6_1.8