QEMU vulnerability allows for arbitrary code execution and denial of service

Did you know that malicious actors could break out of guest operating systems and attack the host operating system that QEMU runs on? Yes, they can do it by performing a "virtual machine escape."

This can lead attackers to execute code at the same privilege level as QEMU itself or crash the QEMU process entirely.

The vulnerability, designated as CVE-2019-14378, relies on the networking implementation in QEMU: A flaw in the SLiRP networking backend exists in the ip_reass() routine—used to reassemble packets—when the first fragment is larger than the m->m_dat[] buffer. Fragmentation of packets is a routine occurrence, for situations when packets are larger than the maximum transmission unit (MTU) set for a specific connection. In these situations, the fragments are reassembled by the receiving system.

The vulnerability was found during a code audit, not through finding an infected system. To date, there is no indication that this has been exploited in the wild. Naturally, patches applied to QEMU typically require a restart of the virtual machines operated by that process, which will inevitably create downtime as systems are patched. Some providers of cloud-hosted virtual machines utilize QEMU for virtualization and may be vulnerable to this flaw.