QEMU QXL Heap Overflows Expose Hosts to Guest-to-Host Memory Corruption
STAR Labs disclosed two vulnerabilities in QEMU’s QXL para-virtualized video device, tracked as CVE-2021-4206 and CVE-2021-4207, that can trigger heap overflows during cursor handling. In the first flaw, guest-controlled cursor width and height values can cause an integer overflow in cursor_alloc(), leading to an undersized heap allocation before qxl_unpack_chunks() copies more data than allocated with memcpy(). In the second, a race condition allows guest-controlled cursor metadata to change after allocation but before size calculations, creating a mismatch that again lets qxl_unpack_chunks() write past the heap buffer.
Timeline
Mar 28, 2022
QEMU patches CVE-2021-4206 and CVE-2021-4207
The vendor released fixes for CVE-2021-4206 and CVE-2021-4207, two QXL-related heap overflow vulnerabilities in QEMU. The flaws could be exploited by a highly privileged attacker inside a guest VM using a QXL video device with VNC graphics.
Dec 28, 2021
STAR Labs reports QEMU QXL heap overflow flaws to vendor
STAR Labs disclosed two QEMU QXL heap overflow vulnerabilities, CVE-2021-4206 and CVE-2021-4207, to the vendor. Both issues involved guest-controlled cursor metadata leading to heap corruption under specific QXL and VNC configurations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
QEMU Flaws Enable Denial of Service, Information Disclosure, and Data Manipulation
German government CERT advisories disclosed multiple **QEMU** vulnerabilities that affect virtualized environments and could let attackers trigger **denial of service**, expose sensitive information, and in one case manipulate data. One advisory describes a flaw leading to service disruption and information disclosure, while a later notice expands the impact to include **data manipulation**, indicating broader risk to guest or host operations depending on deployment and exposure. The advisories identify QEMU as the affected component and warn that organizations relying on the emulator and virtualization stack may face risks to **availability**, **confidentiality**, and **integrity**. Operators of cloud, server, and lab environments using QEMU should review the relevant vendor guidance and apply available updates or mitigations to reduce the chance of exploitation against virtual machines and supporting infrastructure.
3 weeks ago
KVM Shadow Paging Use-After-Free Exposes x86 Hosts to Guest-Triggered Memory Corruption
A use-after-free vulnerability in KVM's shadow paging code was disclosed after researchers Alexander Bulekov and Fred Griffoul of Amazon found stale reverse mappings in shadow EPT through fuzzing. The flaw affects x86 guests and is exploitable when nested virtualization is enabled on Intel or AMD processors, or when systems use shadow paging with EPT or NPT disabled. Maintainers said the bug can lead to kernel memory corruption and denial of service on the host, making it a guest-to-host risk in affected virtualization setups. The disclosure was coordinated by Sandipan Roy, who said reporters and maintainers agreed to an embargo that ended on March 29, 2026 at 16:00 UTC. Solar Designer said the issue had first been shared with the `linux-distros` list on March 10, 2026 and acknowledged the embargo exceeded that list's usual 14-day limit without prior approval, though it was allowed because the overrun was moderate and multiple stakeholders were already involved. The discussion also noted that on Linux kernels `6.16` and newer, the reproducer hits a `WARN` introduced by commit `11d45175111d`, raising questions about whether `panic_on_warn` could reduce exploitability.
1 months ago
Oracle VirtualBox E1000 Flaws Enable Guest Memory Leak and Host Escape
Oracle VirtualBox's emulated Intel PRO/1000 MT Desktop (`E1000`) network adapter was found to contain multiple security flaws that let attackers abuse packet-processing logic from inside a guest VM. One issue, tracked as **`CVE-2020-2894`**, affects VirtualBox 6.1.0 and stems from improper validation in `e1kInsertChecksum()`, allowing checksum operations to read beyond a packet buffer and disclose adjacent memory. By manipulating checksum end offsets, an attacker in a guest can leak host-side data incrementally through the virtual NIC path. A separate flaw, **`CVE-2019-2722`**, impacts VirtualBox 5.2.28 and earlier and 6.0.6 and earlier, where an integer underflow in `e1kFallbackAddToFrame()` can trigger a heap out-of-bounds write in host memory. An attacker with root or administrator privileges in the guest can craft transmit descriptors to corrupt host memory and potentially escape the VM to host ring 3. Both vulnerabilities were disclosed through Trend Micro Zero Day Initiative's **Pwn2Own** program, and Oracle released fixes through its security update process.
3 weeks ago