Ubuntu alert USN-8073-1 (qemu)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8073-1] QEMU vulnerabilities | |
| Date: | Wed, 04 Mar 2026 19:50:08 +0000 | |
| Message-ID: | <E1vxsES-0001zS-Tl@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8073-1 March 04, 2026 qemu vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in QEMU. Software Description: - qemu: Machine emulator and virtualizer Details: It was discovered that the UHCI controller implementation of QEMU could be brought into an invalid state. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2024-8354) It was discovered that QEMU incorrectly handled memory during certain VNC operations. An remote attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2025-11234) It was discovered that the e1000 network device implementation of QEMU could be made to write out of bounds. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-12464) It was discovered that the virtio-crypto device implementation of QEMU did not limit the length of a certain path input. An attacker inside the guest could possibly use this issue to cause QEMU to consume large amount of memory, resulting in a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-14876) It was discovered that the KVM Xen guest support of QEMU could be made to read out of bounds. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-0665) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 qemu-system 1:10.1.0+ds-5ubuntu2.4 qemu-system-arm 1:10.1.0+ds-5ubuntu2.4 qemu-system-common 1:10.1.0+ds-5ubuntu2.4 qemu-system-data 1:10.1.0+ds-5ubuntu2.4 qemu-system-gui 1:10.1.0+ds-5ubuntu2.4 qemu-system-mips 1:10.1.0+ds-5ubuntu2.4 qemu-system-misc 1:10.1.0+ds-5ubuntu2.4 qemu-system-modules-opengl 1:10.1.0+ds-5ubuntu2.4 qemu-system-modules-spice 1:10.1.0+ds-5ubuntu2.4 qemu-system-ppc 1:10.1.0+ds-5ubuntu2.4 qemu-system-riscv 1:10.1.0+ds-5ubuntu2.4 qemu-system-s390x 1:10.1.0+ds-5ubuntu2.4 qemu-system-sparc 1:10.1.0+ds-5ubuntu2.4 qemu-system-x86 1:10.1.0+ds-5ubuntu2.4 qemu-system-x86-xen 1:10.1.0+ds-5ubuntu2.4 qemu-system-xen 1:10.1.0+ds-5ubuntu2.4 Ubuntu 24.04 LTS qemu-system 1:8.2.2+ds-0ubuntu1.13 qemu-system-arm 1:8.2.2+ds-0ubuntu1.13 qemu-system-common 1:8.2.2+ds-0ubuntu1.13 qemu-system-data 1:8.2.2+ds-0ubuntu1.13 qemu-system-gui 1:8.2.2+ds-0ubuntu1.13 qemu-system-mips 1:8.2.2+ds-0ubuntu1.13 qemu-system-misc 1:8.2.2+ds-0ubuntu1.13 qemu-system-modules-opengl 1:8.2.2+ds-0ubuntu1.13 qemu-system-modules-spice 1:8.2.2+ds-0ubuntu1.13 qemu-system-ppc 1:8.2.2+ds-0ubuntu1.13 qemu-system-s390x 1:8.2.2+ds-0ubuntu1.13 qemu-system-sparc 1:8.2.2+ds-0ubuntu1.13 qemu-system-x86 1:8.2.2+ds-0ubuntu1.13 qemu-system-x86-xen 1:8.2.2+ds-0ubuntu1.13 qemu-system-xen 1:8.2.2+ds-0ubuntu1.13 Ubuntu 22.04 LTS qemu 1:6.2+dfsg-2ubuntu6.28 qemu-system 1:6.2+dfsg-2ubuntu6.28 qemu-system-arm 1:6.2+dfsg-2ubuntu6.28 qemu-system-common 1:6.2+dfsg-2ubuntu6.28 qemu-system-data 1:6.2+dfsg-2ubuntu6.28 qemu-system-gui 1:6.2+dfsg-2ubuntu6.28 qemu-system-mips 1:6.2+dfsg-2ubuntu6.28 qemu-system-misc 1:6.2+dfsg-2ubuntu6.28 qemu-system-ppc 1:6.2+dfsg-2ubuntu6.28 qemu-system-s390x 1:6.2+dfsg-2ubuntu6.28 qemu-system-sparc 1:6.2+dfsg-2ubuntu6.28 qemu-system-x86 1:6.2+dfsg-2ubuntu6.28 qemu-system-x86-microvm 1:6.2+dfsg-2ubuntu6.28 qemu-system-x86-xen 1:6.2+dfsg-2ubuntu6.28 After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8073-1 CVE-2024-8354, CVE-2025-11234, CVE-2025-12464, CVE-2025-14876, CVE-2026-0665 Package Information: https://launchpad.net/ubuntu/+source/qemu/1:10.1.0+ds-5ub... https://launchpad.net/ubuntu/+source/qemu/1:8.2.2+ds-0ubu... https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubu...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmmoilIACgkQcpJm3tlz hgFHiA/+NiiI7ftcYIkRjsfPjOQkF5k28vX4TSQifZG2us2Cv3N8LuxKSUb+Y/+F 9lDxjmfXt96VD63Dv9DawX2u4KvQnsyowN/IPg8DrlTfZqDrSWxJNY01SzrxXcNs 7N8Mf/RN7fvyANM1/nRSdVPijjKxcYJr3O0R8gQ4J4ii9vXznNasGe6jeiC4mD81 hmjnyTehcaPFYwBxKzJZfvO6zcyb39jTmBHM4g9jriCfP/k5PLYXTAvtBTILOdva ZWnSc4C2u7QY8q9E5J9MehnD02jY/0XKcBIn602VOmeLogH164ddmogONfPTx8R1 wUiPSS6moDxSE8Ohvg3eGfvWH5+QUlJVIX8Kb0y7HKDiGDZHB04FwIR5n9jxSCfs XgCZmefWVfvymH1DHuEZbFwrSiDnnHRWqp/CpU2aNY2+pCJBC2hC26ZgdIe99USs iqHIA9n2PX4DbfbnzagSO0EbNp4cr8b12e6IZYBfrmmGVK98xpqOxlH5jZVH5lYQ dL24NmayDBq82/xFkOMqd2WOhEQ8+Mvy2qzRjY3xlJB8YIp/LhgQEV0UfWAjPKTX b3e1wTdwRPlRbxMxqVvVlnsOVj7kWpwsQ2NEkF1w+1/Xocy/Y/ygvjQeYb2j7Po/ OLP/15DmXSYZj7cWWzFI/KkLa661PfyOen5uZ1t2gGG9VbrOJII= =Wvvu -----END PGP SIGNATURE-----