CVE-2017-8284 in QEMUinfo

Summary

** DISPUTED ** The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes."

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsible

Reservation

04/26/2017

Disclosure

04/26/2017

Moderation

VulDB entry created

Entries

VDB-100617

CPE

ready

CWE

CWE-264 (Confirmed)

CVSS

6.4

EPSS

0.00108

Activities

Very Low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2017-8284
NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-8284
CVE Details	https://www.cvedetails.com/cve/CVE-2017-8284/

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!