CVE-2018-7550

Public on 2018-03-01

Modified on 2018-09-15

Description

Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur while loading a kernel image during the guest boot, if mh_load_end_addr address is greater than the mh_bss_end_addr address. A user or process could use this flaw to potentially achieve arbitrary code execution on a host.

Severity

Medium

See what this means

CVSS v3 Base Score

7.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	qemu-kvm	2018-09-05 19:33	ALAS-2018-1073
Amazon Linux 2 - Core	qemu-kvm	2018-09-12 22:19	ALAS2-2018-1073

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv2	6.2	AV:L/AC:H/Au:N/C:C/I:C/A:C
Amazon Linux	CVSSv3	7.8	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD	CVSSv3	8.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD	CVSSv2	4.6	AV:L/AC:L/Au:N/C:P/I:P/A:P

References

Red Hat: CVE-2018-7550 Mitre: CVE-2018-7550 FAQs regarding Amazon Linux ALAS/CVE Severity