VDB

DEBIAN-CVE-2023-5088

DEBIAN-CVE-2023-5088 PUBLISHED CVSS 7 HIGH

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.

Risk Scores

CVSS 3.1
7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Debian:14qemu0, 0, 0
Debian:12qemu1:7.2+dfsg-7, 0, 1:7.2+dfsg-7+deb12u1
Debian:13qemu0, 0, 0
Debian:11qemu1:5.2+dfsg-11+deb11u2, 1:5.2+dfsg-11+deb11u3, 0

Timeline

  • Nov 3, 2023 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›