In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00073.html
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00072.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html
https://access.redhat.com/errata/RHSA-2019:1883
https://access.redhat.com/errata/RHSA-2019:1968
https://access.redhat.com/errata/RHSA-2019:2425
https://access.redhat.com/errata/RHSA-2019:2892
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg03132.html
https://seclists.org/bugtraq/2019/May/76
https://usn.ubuntu.com/3923-1/