milliways-infosec/fragnesia
5
0
Fork 0
mirror of https://github.com/v12-security/pocs.git synced 2026-05-16 11:07:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update README.md

Browse source
This commit is contained in:
cts 2026-05-15 22:39:59 +09:00 committed by stong
parent f686432608
commit 5a1bbe08b5
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
qemu/README.md
View file

@ -1,5 +1,7 @@
# QEMUtiny # QEMUtiny
https://github.com/user-attachments/assets/9ff4e5f2-9bfe-405a-a6b9-2ee43fb8352a
## Abstract ## Abstract
QEMUtiny is a memory corruption vulnerability in QEMU's implementation of CXL Type-3 QEMUtiny is a memory corruption vulnerability in QEMU's implementation of CXL Type-3
@ -7,9 +9,9 @@ device emulation, reported against QEMU master `007b29752e` and confirmed
working against `5e61afe` (May 11, 2026). working against `5e61afe` (May 11, 2026).
QEMUtiny was discovered autonomously with [V12](https://v12.sh) by Aaron Esau of the QEMUtiny was discovered autonomously with [V12](https://v12.sh) by Aaron Esau of the
[V12 security team](https://x.com/v12sec). The PoC was prepared by [@xia0o0o0o](https://xia0.sh/). [V12 security team](https://x.com/v12sec).
> Want to find issues like this in your own code? Try V12 at https://v12.sh. > Want to find issues like this in your own code? Try V12 at [v12.sh](https://v12.sh).
The PoC chains two CXL mailbox bugs in `hw/cxl/cxl-mailbox-utils.c`: an The PoC chains two CXL mailbox bugs in `hw/cxl/cxl-mailbox-utils.c`: an
out-of-bounds read in `GET_LOG`, followed by an out-of-bounds write in out-of-bounds read in `GET_LOG`, followed by an out-of-bounds write in
@ -128,4 +130,4 @@ The full QEMUtiny chain uses two bugs.
## Credit ## Credit
Found with V12 by Aaron Esau of the V12 security team. Found with V12 by Aaron Esau of the V12 security team. The weaponized PoC (qemu escape) was prepared by [@xia0o0o0o](https://xia0.sh/).