CVE-2014-8106 — qemu-kvm - security update

Description

Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.

How to fix CVE-2014-8106

To remediate CVE-2014-8106, upgrade the affected package to a fixed version below.

Debian/qemu—upgrade to 2.1+dfsg-9 or later
Debian/qemu—upgrade to 1.1.2+dfsg-6a+deb7u6 or later
Debian/qemu-kvm—upgrade to 1.1.2+dfsg-6+deb7u6 or later

Is CVE-2014-8106 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.1+dfsg-9
from 0, < 1.1.2+dfsg-6a+deb7u6
from 0, < 1.1.2+dfsg-6+deb7u6

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-8106