Login Sign Up

CVE-2015-8556

10.0 CRITICAL

📋 TL;DR

CVE-2015-8556 is a local privilege escalation vulnerability in Gentoo's QEMU package that allows local users to gain root privileges on affected systems. The vulnerability affects Gentoo Linux systems running vulnerable QEMU versions. Attackers with local access can exploit this to escalate from a regular user account to full root access.

💻 Affected Systems

Products:
  • Gentoo QEMU package
Versions: Versions before 2.5.0-r1
Operating Systems: Gentoo Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Gentoo Linux distributions with QEMU installed. Other distributions are not affected.

📦 What is this software?

Qemu by Qemu

View all CVEs affecting Qemu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement to other systems.

🟠

Likely Case

Local user or attacker with initial access escalates to root, gaining full control over the affected system.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service or minimal privilege escalation if exploit fails.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.
🏢 Internal Only: HIGH - Any compromised user account or malicious insider with local access can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local user access. Public exploit code is available and has been weaponized in attack tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.0-r1 and later

Vendor Advisory: https://security.gentoo.org/glsa/201602-01

Restart Required: No

Instructions:

1. Update QEMU package: emerge --sync && emerge -av qemu
2. Verify update: emerge -pv qemu | grep '~2.5.0-r1' or higher
3. Rebuild if necessary: emerge @preserved-rebuild

🔧 Temporary Workarounds

Remove QEMU if not needed

linux

Uninstall QEMU package if virtualization functionality is not required

emerge -C qemu

Restrict QEMU execution

linux

Remove execute permissions or use access controls to prevent unauthorized users from running QEMU

chmod 750 /usr/bin/qemu-system-*
setfacl -m u:root:rwx /usr/bin/qemu-system-*

🧯 If You Can't Patch

  • Implement strict access controls to limit who can execute QEMU binaries
  • Monitor for privilege escalation attempts and unusual QEMU process execution

🔍 How to Verify

Check if Vulnerable:

Check QEMU version: qemu-system-x86_64 --version | head -1

Check Version:

qemu-system-x86_64 --version 2>/dev/null | head -1 || emerge -pv qemu 2>/dev/null | grep 'qemu'

Verify Fix Applied:

Verify installed version is 2.5.0-r1 or higher: emerge -pv qemu | grep '~2.5.0-r1'

📡 Detection & Monitoring

Log Indicators:

  • Unusual QEMU process execution by non-privileged users
  • Failed privilege escalation attempts in system logs
  • Unexpected QEMU command-line arguments

Network Indicators:

  • Local privilege escalation doesn't generate network traffic

SIEM Query:

process.name:"qemu-system-*" AND user.name!="root" AND user.name!="libvirt-qemu"

📊 Metadata

CVE ID: CVE-2015-8556
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-362
Published: March 24, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8556, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2016-0930 9.8

This vulnerability allows remote attackers to gain SSH access to compilation VMs in Pivotal Cloud Fo...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)