Back

Multiple QEMU Vulnerabilities Affecting Ubuntu Systems

Severity: Medium (Score: 57.8)

Sources: Linuxsecurity, Ubuntu

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: ubuntu, qemu, security, iscsi, critical, denial, service

Severity indicators: critical

Summary

On June 9, 2026, Ubuntu announced several vulnerabilities in QEMU affecting versions 14.04 LTS to 20.04 LTS. The vulnerabilities include denial of service risks and potential arbitrary code execution due to improper handling of iSCSI responses (CVE-2020-1711) and memory operations (CVE-2020-11947). The issues primarily affect Ubuntu 14.04 LTS, with additional impacts on 16.04 LTS, 18.04 LTS, and 20.04 LTS. Attackers could exploit these vulnerabilities remotely or locally, leading to crashes and information exposure. The recommended action is to update to the latest package versions available through Ubuntu Pro. The vulnerabilities were discovered by multiple researchers, including Felipe Franciosi and Ziming Zhang. Key Points: • QEMU vulnerabilities affect Ubuntu versions 14.04 to 20.04 LTS. • Denial of service and arbitrary code execution risks are present. • Immediate updates are recommended for affected systems.

Detailed Analysis

**Impact** Ubuntu systems running QEMU across multiple LTS versions (14.04, 16.04, 18.04, and 20.04) are affected, with the most critical issues impacting Ubuntu 14.04 LTS. Vulnerabilities allow remote or local attackers to cause denial of service, crash QEMU instances, execute arbitrary code, or expose sensitive host information. The affected environments include any sectors relying on Ubuntu virtualized infrastructure, potentially disrupting business operations and risking data confidentiality on affected hosts. **Technical Details** Attack vectors include remote exploitation via the iSCSI block driver (CVE-2020-1711, CVE-2020-11947), local guest attacks exploiting integer overflows, use-after-free, buffer overflows, infinite loops, and NULL pointer dereferences in various QEMU device emulations (e.g., SM501 display driver CVE-2020-12829, USB xHCI controller CVE-2020-14394, e1000e network device CVE-2020-15859). Exploitation can lead to denial of service, information disclosure, or arbitrary code execution during the virtualization kill chain stages of exploitation and execution. No specific IOCs or malware/tool details are provided. **Recommended Response** Apply the latest QEMU security updates available through Ubuntu Pro for all affected LTS versions, prioritizing Ubuntu 14.04 LTS systems. Update packages include qemu, qemu-block-extra, qemu-guest-agent, qemu-kvm, and related system components. Monitor virtualization hosts for unexpected crashes or hangs indicative of exploitation attempts. Harden guest-to-host communication channels and restrict untrusted guest access to vulnerable device emulations where possible.

Source articles (2)

  • USN-8412-1: QEMU vulnerabilities — Ubuntu · 2026-06-09
    Felipe Franciosi, Raphael Norwitz, and Peter Turschmid discovered that the iSCSI block driver in QEMU incorrectly handled certain responses from an iSCSI server. A remote attacker could possibly use t…
  • Ubuntu 20.04 QEMU Critical Denial of Service Vuln USN-8412 — Linuxsecurity · 2026-06-09
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in QEMU.…

Timeline

  • 2020-02-11 — CVE-2020-1711 published: Vulnerability in iSCSI block driver allows remote attackers to cause denial of service or execute code.
  • 2020-07-02 — CVE-2020-15469 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-07-21 — CVE-2020-15859 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-07-28 — CVE-2020-15863 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-08-31 — CVE-2020-12829 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-09-25 — CVE-2020-25625 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-09-25 — CVE-2020-25084 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-11-06 — CVE-2020-27617 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-11-30 — CVE-2020-25624 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-12-02 — CVE-2020-25723 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2020-11947
  • CVE-2020-12829
  • CVE-2020-14394
  • CVE-2020-15469
  • CVE-2020-15859
  • CVE-2020-15863
  • CVE-2020-1711
  • CVE-2020-17380
  • CVE-2020-25084
  • CVE-2020-25624
  • CVE-2020-25625
  • CVE-2020-25723
  • CVE-2020-27617
  • CVE-2020-29443
  • CVE-2020-35504
  • CVE-2020-35505
  • CVE-2021-20181
  • CVE-2021-20196
  • CVE-2021-20203
  • CVE-2021-20221
  • CVE-2021-20257
  • CVE-2021-3409
  • CVE-2021-3416
  • CVE-2021-3507
  • CVE-2021-3527
  • CVE-2021-4206
  • CVE-2021-4207
  • CVE-2023-2861
  • CVE-2023-3180
  • CVE-2023-3354

Related entities

  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Cwe-416 - Use After Free (Cwe)
  • Cwe-476 - NULL Pointer Dereference (Cwe)
  • Cwe-787 - Out-of-bounds Write (Cwe)
  • QEMU (Platform)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed