Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

vulnerability

Oracle Linux: CVE-2019-12068: ELSA-2020-5576: qemu security update (IMPORTANT)

Severity
2
CVSS
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
Published
Aug 14, 2019
Added
Mar 18, 2020
Modified
Dec 3, 2025

Description

In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
A flaw was found in QEMU's LSI53C895A device emulator. When executing LSI scripts, a crafted sequence of I/O requests may cause the emulator to enter into an infinite loop. This vulnerability could be executed locally and would affect the availability of the system.

Solutions

oracle-linux-upgrade-qemuoracle-linux-upgrade-qemu-block-glusteroracle-linux-upgrade-qemu-block-iscsioracle-linux-upgrade-qemu-block-rbdoracle-linux-upgrade-qemu-commonoracle-linux-upgrade-qemu-imgoracle-linux-upgrade-qemu-kvmoracle-linux-upgrade-qemu-kvm-coreoracle-linux-upgrade-qemu-system-x86oracle-linux-upgrade-qemu-system-x86-core
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.