Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-4106

QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

Security Impact Summary

CVE-2015-4106 is a security vulnerability that . Impacting 8 products from qemu, from debian, from fedoraproject and 5 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2015, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2015-06-03T20:59:09.573

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.6 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: LOCAL
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

3.9

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-863
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application qemu qemu ≤ 2.3.1 Yes
Operating System debian debian_linux 7.0 Yes
Operating System debian debian_linux 8.0 Yes
Operating System fedoraproject fedora 20 Yes
Operating System fedoraproject fedora 21 Yes
Operating System fedoraproject fedora 22 Yes
Operating System suse linux_enterprise_desktop 11 Yes
Operating System suse linux_enterprise_desktop 12 Yes
Operating System suse linux_enterprise_server 11 Yes
Operating System suse linux_enterprise_server 11 Yes
Operating System suse linux_enterprise_server 11 Yes
Operating System suse linux_enterprise_server 12 Yes
Operating System suse linux_enterprise_software_development_kit 11 Yes
Operating System suse linux_enterprise_software_development_kit 12 Yes
Application citrix xenserver 6.0 Yes
Application citrix xenserver 6.0.2 Yes
Application citrix xenserver 6.1.0 Yes
Application citrix xenserver 6.2.0 Yes
Application citrix xenserver 6.5 Yes
Operating System canonical ubuntu_linux 12.04 Yes
Operating System canonical ubuntu_linux 14.04 Yes
Operating System canonical ubuntu_linux 14.10 Yes
Operating System canonical ubuntu_linux 15.04 Yes
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For qemu's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.