CVE-2017-8284

low-risk

Published 2017-04-26

The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.0/10 High

LOCAL / HIGH complexity

Affected Products (1)

Qemu

Affected Vendors

Qemu

References (4)

Issue Tracking https://bugs.chromium.org/p/project-zero/issues/detail?id=1122

Issue Tracking https://github.com/qemu/qemu/commit/30663fd26c0307e414622c7a8607fbc04f92ec14

Issue Tracking https://bugs.chromium.org/p/project-zero/issues/detail?id=1122

Issue Tracking https://github.com/qemu/qemu/commit/30663fd26c0307e414622c7a8607fbc04f92ec14

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal