qemu - Debian Package Tracker

general

source: qemu (main)
version: 1:10.1.0+ds-2
maintainer: Debian QEMU Team (archive) (DMD)
uploaders: Michael Tokarev [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:5.2+dfsg-11+deb11u3
o-o-sec: 1:5.2+dfsg-11+deb11u4
oldstable: 1:7.2+dfsg-7+deb12u13
old-sec: 1:7.2+dfsg-7+deb12u15
old-bpo: 1:10.0.2+ds-2~bpo12+1
old-p-u: 1:7.2+dfsg-7+deb12u16
stable: 1:10.0.2+ds-2
stable-sec: 1:10.0.2+ds-2+deb13u1
stable-p-u: 1:10.0.3+ds-0+deb13u1
testing: 1:10.0.3+ds-4
unstable: 1:10.1.0+ds-2

versioned links

1:5.2+dfsg-11+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.2+dfsg-11+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.2+dfsg-7+deb12u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.2+dfsg-7+deb12u15: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.2+dfsg-7+deb12u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.0.2+ds-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.0.2+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.0.2+ds-2+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.0.3+ds-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.0.3+ds-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.0.3+ds-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:10.1.0+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

qemu-block-extra (1 bugs: 0, 1, 0, 0)
qemu-guest-agent (1 bugs: 0, 0, 1, 0)
qemu-system (6 bugs: 0, 2, 4, 0)
qemu-system-arm (3 bugs: 0, 1, 2, 0)
qemu-system-common (5 bugs: 0, 0, 5, 0)
qemu-system-data (1 bugs: 0, 0, 1, 0)
qemu-system-gui (2 bugs: 0, 2, 0, 0)
qemu-system-mips
qemu-system-misc
qemu-system-modules-opengl
qemu-system-modules-spice (1 bugs: 0, 1, 0, 0)
qemu-system-ppc (2 bugs: 0, 2, 0, 0)
qemu-system-riscv (1 bugs: 0, 1, 0, 0)
qemu-system-s390x
qemu-system-sparc
qemu-system-x86 (20 bugs: 0, 15, 5, 0)
qemu-system-xen
qemu-user (2 bugs: 0, 1, 1, 0)
qemu-user-binfmt
qemu-utils (2 bugs: 0, 1, 1, 0)

action needed

1 binary package has unsatisfiable dependencies high

The dependencies of qemu-user-static=1:10.0.3+ds-3 cannot be satisfied in unstable on s390x, armel, armhf, mips64el, amd64, i386, arm64, and ppc64el because: conflict between qemu-user-binfmt and qemu-user-static

Created: 2025-08-23 Last update: 2025-08-31 00:31

11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:

CVE-2021-3735: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3872: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2023-1386: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
CVE-2024-6519: A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.
CVE-2024-8354: A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
CVE-2024-8612: A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Created: 2022-07-04 Last update: 2025-08-30 00:05

11 security issues in forky high

There are 11 open security issues in forky.

11 important issues:

CVE-2021-3735: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3872: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2023-1386: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
CVE-2024-6519: A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.
CVE-2024-8354: A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
CVE-2024-8612: A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Created: 2025-08-09 Last update: 2025-08-30 00:05

27 security issues in bullseye high

There are 27 open security issues in bullseye.

1 important issue:

TEMP-1111844-CF9125:

15 issues postponed or untriaged:

CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2023-1386: (postponed; to be fixed through a stable update) A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
CVE-2024-6505: (postponed; to be fixed through a stable update) A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.
CVE-2024-6519: (postponed; to be fixed through a stable update) A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.
CVE-2024-7409: (postponed; to be fixed through a stable update) A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
CVE-2024-7730: (postponed; to be fixed through a stable update) A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
CVE-2024-8354: (postponed; to be fixed through a stable update) A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
CVE-2024-8612: (postponed; to be fixed through a stable update) A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

11 ignored issues:

CVE-2021-3611: A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.
CVE-2021-3750: A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
CVE-2021-3929: A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
CVE-2022-4144: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
CVE-2023-2861: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.
CVE-2024-3446: A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.
CVE-2024-4467: A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
CVE-2020-15469: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-35504: A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35505: A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35506: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.

Created: 2025-08-22 Last update: 2025-08-30 00:05

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-08-31 00:01

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-08-21 Last update: 2025-08-30 22:36

lintian reports 18 warnings normal

Lintian reports 18 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-08-12 Last update: 2025-08-30 09:03

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-08-19 06:28

debian/patches: 7 patches to forward upstream low

Among the 19 debian patches available in version 1:10.1.0+ds-2 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-08-30 10:01

12 low-priority security issues in trixie low

There are 12 open security issues in trixie.

12 issues left for the package maintainer to handle:

CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2023-1386: (postponed; to be fixed through a stable update) A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
CVE-2024-6519: (needs triaging) A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.
CVE-2024-8354: (needs triaging) A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
CVE-2024-8612: (needs triaging) A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
CVE-2025-8860: (needs triaging)
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-11 Last update: 2025-08-30 00:05

13 low-priority security issues in bookworm low

There are 13 open security issues in bookworm.

13 issues left for the package maintainer to handle:

CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2023-1386: (postponed; to be fixed through a stable update) A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
CVE-2024-6519: (needs triaging) A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.
CVE-2024-7730: (needs triaging) A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero.
CVE-2024-8354: (needs triaging) A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
CVE-2024-8612: (needs triaging) A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-08-30 00:05

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2024-09-14 Last update: 2024-09-14 08:30

testing migrations

excuses:
- Migration status for qemu (1:10.0.3+ds-4 to 1:10.1.0+ds-2): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ autopkgtest for architecture-properties/0.2.6: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for cinder/2:26.0.0-2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for cloud-utils/0.33-1: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for cryptsetup/2:2.8.1-1: amd64: Pass, arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for debvm/0.4.5: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Pass, riscv64: Ignored failure, s390x: Test in progress
- ∙ ∙ autopkgtest for dropbear/2025.88-2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for edk2/2025.02-8: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for fai/6.4.3: amd64: Pass, arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for freedom-maker/0.34: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for ganeti/3.1.0~rc2-3: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for genimage/18-1.1: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for glance/2:30.0.0-3: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for image-garden/0.3-1: amd64: Pass, arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for incus/6.0.5-1: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for ipmitool/1.8.19-9: amd64: No tests, superficial or marked flaky ♻ (reference ♻), arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for ironic/1:29.0.0-7: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Pass, riscv64: Ignored failure, s390x: Test in progress
- ∙ ∙ autopkgtest for ironic-python-agent/10.2.0-3: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for isa-support/27: amd64: Pass, arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, i386: Pass, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻)
- ∙ ∙ autopkgtest for kworkflow/20191112-1.2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for libguestfs/1:1.54.1-2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for libstdc++-riscv64-unknown-elf/7: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for libvhdi/20240509-2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for libvirt/11.3.0-3: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for multipath-tools/0.11.1-4: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for nova/2:31.0.0-7: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Pass, riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for open-iscsi/2.1.11-2: amd64: No tests, superficial or marked flaky ♻ (reference ♻), arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for osk-sdl/0.67.1-4: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Failed (not a regression), s390x: Test in progress
- ∙ ∙ autopkgtest for qbe/1.2-3: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for qemu/1:10.1.0+ds-2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for sbuild/0.90.2: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for snek/1.12-1: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for syslinux/3:6.04~git20190206.bf6db5b4+dfsg1-3.2: amd64: Pass, arm64: Failed (not a regression), armel: Test in progress, armhf: Failed (not a regression), i386: Pass, ppc64el: Failed (not a regression), riscv64: Failed (not a regression), s390x: Test in progress (will not be considered a regression)
- ∙ ∙ autopkgtest for systemd/258~rc3-1: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for vagrant/2.3.7+git20230731.5fc64cde+dfsg-4: amd64: Failed (not a regression), arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ autopkgtest for vagrant-libvirt/0.12.2-4: amd64: Failed (not a regression), arm64: No tests, superficial or marked flaky ♻ (reference ♻), armel: Test in progress, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Test in progress
- ∙ ∙ autopkgtest for vagrant-mutate/1.2.0-4.1: amd64: Failed (not a regression), arm64: Failed (not a regression), armel: Test in progress, armhf: Failed (not a regression), i386: Failed (not a regression), ppc64el: Failed (not a regression), riscv64: Failed (not a regression), s390x: Test in progress (will not be considered a regression)
- ∙ ∙ autopkgtest for vmdb2/0.41-1: amd64: Pass, arm64: Pass, armel: Test in progress, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test in progress
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/q/qemu.html
- ∙ ∙ Ignoring non-reproducibility on amd64 (not a regression) - info ♻
- Not considered

news

[rss feed]

[2025-08-29] Accepted qemu 1:10.1.0+ds-2 (source) into unstable (Michael Tokarev)
[2025-08-27] Accepted qemu 1:10.1.0+ds-1 (source) into unstable (Michael Tokarev)
[2025-08-25] Accepted qemu 1:7.2+dfsg-7+deb12u16 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-08-25] Accepted qemu 1:10.0.3+ds-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-08-25] qemu 1:10.0.3+ds-4 MIGRATED to testing (Debian testing watch)
[2025-08-25] Accepted qemu 1:7.2+dfsg-7+deb12u15 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-08-25] Accepted qemu 1:10.0.2+ds-2+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-08-22] Accepted qemu 1:7.2+dfsg-7+deb12u15 (source) into oldstable-security (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-08-22] Accepted qemu 1:10.0.2+ds-2+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-08-21] Accepted qemu 1:10.0.3+ds-4 (source) into unstable (Michael Tokarev)
[2025-08-21] qemu 1:10.0.3+ds-3 MIGRATED to testing (Debian testing watch)
[2025-08-14] Accepted qemu 1:10.0.3+ds-3 (source) into unstable (Michael Tokarev)
[2025-08-14] Accepted qemu 1:10.1.0~rc3+ds-2 (source) into experimental (Michael Tokarev)
[2025-08-14] Accepted qemu 1:10.1.0~rc3+ds-1 (source) into experimental (Michael Tokarev)
[2025-08-11] Accepted qemu 1:10.0.3+ds-2 (source) into unstable (Michael Tokarev)
[2025-08-11] Accepted qemu 1:10.0.3+ds-1 (source) into unstable (Michael Tokarev)
[2025-08-07] Accepted qemu 1:10.0.2+ds-2~bpo12+1 (source) into stable-backports (Michael Tokarev)
[2025-08-06] Accepted qemu 1:10.1.0~rc2+ds-1 (source) into experimental (Michael Tokarev)
[2025-07-31] Accepted qemu 1:10.1.0~rc1+ds-3 (source) into experimental (Michael Tokarev)
[2025-07-31] Accepted qemu 1:10.1.0~rc1+ds-2 (source) into experimental (Michael Tokarev)
[2025-07-31] Accepted qemu 1:10.1.0~rc1+ds-1b (source) into experimental (Michael Tokarev)
[2025-07-31] Accepted qemu 1:10.1.0~rc1+ds-1a (source) into experimental (Michael Tokarev)
[2025-07-31] Accepted qemu 1:10.1.0~rc1+ds-1 (source) into experimental (Michael Tokarev)
[2025-07-28] Accepted qemu 1:10.1.0~rc0+ds-4 (source) into experimental (Michael Tokarev)
[2025-07-28] Accepted qemu 1:10.1.0~rc0+ds-3 (source) into experimental (Michael Tokarev)
[2025-07-28] Accepted qemu 1:7.2+dfsg-7+deb12u14 (source) into proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2025-07-28] qemu 1:10.0.2+ds-2 MIGRATED to testing (Debian testing watch)
[2025-07-27] Accepted qemu 1:10.1.0~rc0+ds-2 (source) into experimental (Michael Tokarev)
[2025-07-27] Accepted qemu 1:10.1.0~rc0+ds-1 (source) into experimental (Michael Tokarev)
[2025-07-25] Accepted qemu 1:10.0.2+ds-2 (source) into unstable (Michael Tokarev)

bugs [bug history graph]

all: 117 126
RC: 0
I&N: 53
M&W: 64 73
F&P: 0
patch: 2

links

homepage
lintian (0, 18)
buildd: logs, checks, reproducibility, debcheck
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 94)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:10.1.0+ds-1ubuntu1
101 bugs (2 patches)