TR-37 - VENOM / CVE-2015-3456 - Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member


VENOM / CVE-2015-3456 is a kind of ‘buffer overflow’ vulnerability in the QEMU Floppy Disk Controller (FDC) emulation. This vulnerability affects a variety of software products relying on QEMU itself or the Floppy Disk Controller emulation part only. Even if floppy disk emulation is not available, the vulnerability can be triggered.

Vulnerable systems

Vulnerable systems to CVE-2015-3456:

A maintenance release of the Oracle VirtualBox 4.3.28 should be released soon to fix CVE-2015-3456.

Non-vulnerable systems

The systems not vulnerable to CVE-2015-3456 are:

  • Bochs
  • Microsoft Hyper-V
  • VMware

Impact of such vulnerability in virtualization technologies

As mentioned in NIST SP 800-125 - Guide to Security for Full Virtualization Technologies

Full virtualization has some negative security implications. Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls. Also, combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs. Further, some virtualization systems make it easy to share information between the systems; this convenience can turn out to be an attack vector if it is not carefully controlled. In some cases, virtualized environments are quite dynamic, which makes creating and maintaining the necessary security boundaries more complex.

The impact of vulnerability in a virtualized environment should not be underestimated.


Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.


  • Version 1.0 - TLP:WHITE - First version