This update for qemu fixes the following issues:
Update to version 10.0.7.
Security issues fixed:
- CVE-2025-12464: stack-based buffer overflow in the e1000 network device operations can be exploited by a malicious
guest user to crash the QEMU process on the host (bsc#1253002).
- CVE-2025-11234: use-after-free in WebSocket handshake operations can be exploited by a malicious client with network
access to the VNC WebSocket port to cause a denial-of-service (bsc#1250984).
Other updates and bugfixes:
-
Version 10.0.7:
- kvm: Fix kvm_vm_ioctl() and kvm_device_ioctl() return value
- docs/devel: Update URL for make-pullreq script
- target/arm: Fix assert on BRA.
- hw/aspeed/{xdma, rtc, sdhci}: Fix endianness to DEVICE_LITTLE_ENDIAN
- hw/core/machine: Provide a description for aux-ram-share property
- hw/pci: Make msix_init take a uint32_t for nentries
- block/io_uring: avoid potentially getting stuck after resubmit at the end of ioq_submit()
- block-backend: Fix race when resuming queued requests
- ui/vnc: Fix qemu abort when query vnc info
- chardev/char-pty: Do not ignore chr_write() failures
- hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section()
- hw/arm/armv7m: Disable reentrancy guard for v7m_sysreg_ns_ops MRs
- hw/arm/aspeed: Fix missing SPI IRQ connection causing DMA interrupt failure
- migration: Fix transition to COLO state from precopy
- Full backport list: https://lore.kernel.org/qemu-devel/1765037524.347582.2700543.nullmailer@tls.msk.ru/
-
Version 10.0.6:
- linux-user/microblaze: Fix little-endianness binary
- target/hppa: correct size bit parity for fmpyadd
- target/i386: user: do not set up a valid LDT on reset
- async: access bottom half flags with qatomic_read
- target/i386: fix x86_64 pushw op
- i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit
- i386/cpu: Prevent delivering SIPI during SMM in TCG mode
- i386/kvm: Expose ARCH_CAP_FB_CLEAR when...