CVE-2017-2620 vulnerability in QEMU and Other Products
Published on July 27, 2018

Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Weakness Type

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2017-2620 has been classified to as a Memory Corruption vulnerability or weakness.

Products Associated with CVE-2017-2620

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2017-2620 are published in these products:

QEMU

Red Hat Enterprise Linux Desktop

Red Hat Enterprise Linux Server Eus

Red Hat Openstack

Citrix Xen Server

Citrix Xen Xen

Debian Linux

Red Hat Enterprise Linux Workstation

Red Hat Enterprise Linux Server

Red Hat Enterprise Linux Server Aus

Affected Versions

Qemu: Version 2.8 is affected by CVE-2017-2620

Exploit Probability

EPSS

2.41%

Percentile

84.88%