CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
50.8%
When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory.
A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation.
Versions of qemu shipped with all Xen versions are vulnerable.
Xen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable.
Only guests provided with the “cirrus” emulated video card can exploit the vulnerability. The non-default “stdvga” emulated video card is not vulnerable. (With xl the emulated video card is controlled by the “stdvga=” and “vga=” domain configuration options.)
ARM systems are not vulnerable. Systems using only PV guests are not vulnerable.
For VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself.
Both upstream-based versions of qemu (device_model_version=“qemu-xen”) and `traditional’ qemu (device_model_version=“qemu-xen-traditional”) are vulnerable.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
50.8%