The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
Base Score: 6.9
Impact Score: 10
Exploitability Score: 3.4
Base Score: 7.8
Impact Score: 5.9
Exploitability Score: 1.8
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:* versions from 1.3.0 to 1.4.2 (inclusive)