CVE-2019-12155

Published: 24 May 2019

interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.

From the Ubuntu security team

Sergej Schumilo, Cornelius Aschermann and Simon W├Ârner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a null pointer dereference. A local attacker in a guest could use this to cause a denial of service.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream
Released (1:4.2-1)
Ubuntu 21.04 (Hirsute Hippo)
Released (1:4.2-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (1:4.2-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:4.2-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2.11+dfsg-1ubuntu7.20)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:2.5+dfsg-5ubuntu10.42)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.0.0+dfsg-2ubuntu1.47)
Patches:
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist