Login Sign Up

CVE-2018-17963

9.8 CRITICAL
Denial of Service

📋 TL;DR

This vulnerability in QEMU's network packet handling allows attackers to send packets larger than INT_MAX (2,147,483,647 bytes), causing integer overflow. This can lead to denial of service, memory corruption, or potential arbitrary code execution. Affects systems running vulnerable versions of QEMU/KVM virtualization software.

💻 Affected Systems

Products:
  • QEMU
  • KVM (Kernel-based Virtual Machine)
  • libvirt
  • Red Hat Virtualization
  • oVirt
  • Proxmox VE
Versions: QEMU versions before 2.12.1, 3.0.0, and 3.1.0; specific distributions have backported fixes.
Operating Systems: Linux distributions with vulnerable QEMU packages
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects QEMU when network functionality is enabled (default in most virtualization setups).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Openstack by Redhat

View all CVEs affecting Openstack →

Openstack by Redhat

View all CVEs affecting Openstack →

Openstack by Redhat

View all CVEs affecting Openstack →

Qemu by Qemu

View all CVEs affecting Qemu →

Qemu by Qemu

View all CVEs affecting Qemu →

Qemu by Qemu

View all CVEs affecting Qemu →

Qemu by Qemu

View all CVEs affecting Qemu →

Qemu by Qemu

View all CVEs affecting Qemu →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Virtualization by Redhat

View all CVEs affecting Virtualization →

Virtualization Manager by Redhat

View all CVEs affecting Virtualization Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the QEMU host, potentially compromising the hypervisor and all guest VMs.

🟠

Likely Case

Denial of service through QEMU process crash or memory exhaustion, disrupting virtual machine operations.

🟢

If Mitigated

Limited impact if network access to QEMU is restricted and proper segmentation is in place.

🌐 Internet-Facing: HIGH - If QEMU network interfaces are exposed to untrusted networks, exploitation is straightforward.
🏢 Internal Only: MEDIUM - Requires network access to QEMU instances, but internal attackers or compromised guests could exploit it.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted network packets to vulnerable QEMU instances; proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QEMU 2.12.1, 3.0.0, 3.1.0 or later; distribution-specific patches available via security updates.

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2166

Restart Required: Yes

Instructions:

1. Update QEMU packages using your distribution's package manager (e.g., 'apt update && apt upgrade qemu' for Debian/Ubuntu, 'yum update qemu-kvm' for RHEL/CentOS). 2. Restart all affected virtual machines and the QEMU/libvirt services.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to QEMU management interfaces and virtual machine networks using firewalls.

iptables -A INPUT -p tcp --dport 5900-5910 -j DROP
iptables -A INPUT -p tcp --dport 16509 -j DROP

Disable Unused Network Interfaces

linux

Remove or disable network interfaces in QEMU configurations that are not required.

virsh edit <vm_name> # Remove unnecessary <interface> sections

🧯 If You Can't Patch

  • Isolate QEMU hosts on dedicated network segments with strict firewall rules blocking external access.
  • Monitor for unusual network traffic patterns or QEMU process crashes as indicators of exploitation.

🔍 How to Verify

Check if Vulnerable:

Check QEMU version: 'qemu-system-x86_64 --version' or 'dpkg -l | grep qemu' or 'rpm -qa | grep qemu'. If version is below patched versions, system is vulnerable.

Check Version:

qemu-system-x86_64 --version | head -1

Verify Fix Applied:

Verify updated package is installed: 'qemu-system-x86_64 --version' should show 2.12.1, 3.0.0, 3.1.0 or higher, or distribution-specific patched version.

📡 Detection & Monitoring

Log Indicators:

  • QEMU process crashes in system logs (/var/log/syslog, /var/log/messages)
  • Kernel logs showing memory corruption or segmentation faults related to qemu

Network Indicators:

  • Unusually large network packets (>2GB) sent to QEMU management ports (e.g., VNC port 5900+, SPICE, libvirt)

SIEM Query:

source="*syslog*" AND "qemu" AND ("segmentation fault" OR "crash" OR "killed")

📊 Metadata

CVE ID: CVE-2018-17963
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: October 9, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17963, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2018-20177 9.8

CVE-2018-20177 is a critical integer overflow vulnerability in rdesktop RDP client that leads to hea...

Same vulnerability type (CWE-190)
CVE-2018-5095 9.8

An integer overflow vulnerability in the Skia graphics library allows attackers to trigger use of un...

Same vulnerability type (CWE-190)