QEMU Flaws Enable Denial of Service, Information Disclosure, and Data Manipulation
German government CERT advisories disclosed multiple QEMU vulnerabilities that affect virtualized environments and could let attackers trigger denial of service, expose sensitive information, and in one case manipulate data. One advisory describes a flaw leading to service disruption and information disclosure, while a later notice expands the impact to include data manipulation, indicating broader risk to guest or host operations depending on deployment and exposure.
The advisories identify QEMU as the affected component and warn that organizations relying on the emulator and virtualization stack may face risks to availability, confidentiality, and integrity. Operators of cloud, server, and lab environments using QEMU should review the relevant vendor guidance and apply available updates or mitigations to reduce the chance of exploitation against virtual machines and supporting infrastructure.
Timeline
Apr 14, 2026
dCERT publishes QEMU advisory 2026-1062
dCERT published advisory 2026-1062 for QEMU, describing a separate vulnerability that could enable data manipulation, information disclosure, and denial of service.
Feb 20, 2026
dCERT publishes QEMU advisory 2026-0456
dCERT published advisory 2026-0456 for QEMU, warning that a vulnerability could allow denial of service and information disclosure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Multiple Vulnerabilities Disclosed in Proxmox Virtual Environment
German CERT published two advisories affecting **Proxmox Virtual Environment (PVE)**, including one issue that can lead to **information disclosure** and a later notice covering **multiple vulnerabilities** in the virtualization platform. The advisories, `2026-1012` and `2026-1243`, indicate that organizations running Proxmox should review exposed management infrastructure and assess whether sensitive data or administrative functions could be affected. The notices provide limited public detail, but the combination of an information disclosure flaw and additional unspecified weaknesses raises concern for enterprises using Proxmox to host virtual machines and manage clustered infrastructure. Security teams should identify all PVE deployments, monitor vendor and CERT updates for affected versions and patches, and prioritize remediation or compensating controls on internet-reachable or business-critical systems.
1 weeks ago
QEMU QXL Heap Overflows Expose Hosts to Guest-to-Host Memory Corruption
STAR Labs disclosed two vulnerabilities in QEMU’s **QXL** para-virtualized video device, tracked as `CVE-2021-4206` and `CVE-2021-4207`, that can trigger heap overflows during cursor handling. In the first flaw, guest-controlled cursor width and height values can cause an integer overflow in `cursor_alloc()`, leading to an undersized heap allocation before `qxl_unpack_chunks()` copies more data than allocated with `memcpy()`. In the second, a race condition allows guest-controlled cursor metadata to change after allocation but before size calculations, creating a mismatch that again lets `qxl_unpack_chunks()` write past the heap buffer.
3 weeks ago
Public PoC Exploits Surfaced for CVE-2026-34177 and CVE-2025-7389
Public GitHub repositories were flagged for newly published proof-of-concept exploits tied to two high-severity vulnerabilities: **`CVE-2026-34177`**, a VM low-level restriction bypass involving `raw.apparmor` and `raw.qemu.conf`, and **`CVE-2025-7389`**, an unauthorized arbitrary file-read issue via RMI in an AdminServer interface. The monitoring identified repositories advertising exploit code or demonstrations for both flaws, indicating that offensive tradecraft is now publicly accessible. The referenced tracking activity monitors GitHub for exploit and PoC publications, ranks results by most recently updated repositories, and limits visible results to the first 15 entries for performance reasons. For defenders, the appearance of public exploit material raises the urgency of validating exposure to affected virtualization and AdminServer deployments, prioritizing patching or mitigations, and increasing detection coverage for exploitation attempts targeting these CVEs.
3 weeks ago