{"id":"CVE-2019-18389","details":"A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.","modified":"2026-04-11T09:39:40.441937Z","published":"2019-12-23T16:15:11.167Z","related":["SUSE-SU-2020:0016-1","SUSE-SU-2020:0017-1","openSUSE-SU-2020:0058-1","openSUSE-SU-2024:11499-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00028.html"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/cve-2019-18389"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00017.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1765577"},{"type":"FIX","url":"https://gitlab.freedesktop.org/virgl/virglrenderer/commit/cbc8d8b75be360236cada63784046688aeb6d921"},{"type":"FIX","url":"https://gitlab.freedesktop.org/virgl/virglrenderer/merge_requests/314/diffs?commit_id=9c280a28651507e6ef87b17b90d47b6af3a4ab7d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/virgl/virglrenderer","events":[{"introduced":"0"},{"last_affected":"48cc96c9aebb9d0164830a157efc8916f08f00c0"},{"fixed":"cbc8d8b75be360236cada63784046688aeb6d921"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.8.0"}]}}],"versions":["virglrenderer-0.2.0","virglrenderer-0.4.0","virglrenderer-0.5.0","virglrenderer-0.6.0","virglrenderer-0.7.0","virglrenderer-0.8.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18389.json","vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["212982511386522358746273595671342497611","176747774204209346806457768416224481165","169961600532525220405558589553595170244"]},"id":"CVE-2019-18389-12f47810","target":{"file":"src/virgl_hw.h"},"signature_version":"v1","signature_type":"Line","source":"https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["150023804409513975484122868535164136886","189283878556883249191112801145573941720","2708861587290119798094756257004263193","273175914684112087963643696582796120737","323302747453226056343584605309866162966","19447575492423849005765873006358988003","181403213380005488052820626626725544696","182022676534866431682732151249749610299","263897265348195184485703119549565851941","40029899954140331364357814857549437191","65797140655162890820635426628676327462","41198977083158660322491202228300537822","7824466507393594217165901777151291835","210342644148727675093932111662672900398","87142903983319738237289855629501246278","181290981331351594553469463719138539450","260826916990242396476795429736978634242","188947903820730673702306011043215310128","271460832934047377462164318394240116979","45733689806069258237816196943054068304","322040750450432822753016762875383628083","101946048269740007793673467700116581699","160342889137666347841325691495378316651"]},"id":"CVE-2019-18389-203ebfe0","target":{"file":"src/vrend_renderer.c"},"signature_version":"v1","signature_type":"Line","source":"https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921"},{"deprecated":false,"digest":{"length":1233,"function_hash":"74716657909445027734381147258483684542"},"id":"CVE-2019-18389-d1eccb1c","target":{"file":"src/vrend_renderer.c","function":"vrend_renderer_transfer_iov"},"signature_version":"v1","signature_type":"Function","source":"https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921"},{"deprecated":false,"digest":{"length":1249,"function_hash":"284910439952181846112313075504416121027"},"id":"CVE-2019-18389-e12fc0e5","target":{"file":"src/vrend_renderer.c","function":"check_transfer_bounds"},"signature_version":"v1","signature_type":"Function","source":"https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921"}],"vanir_signatures_modified":"2026-04-11T09:39:40Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}