Libslirp
Monthly
Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.
A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. Public exploit code available.
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CVSS 3.8), this vulnerability is low attack complexity.
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.
A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. Public exploit code available.
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.