CVE-2008-2382

Exp

The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message.

Published: 2008-12-24 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2008-2382 is rated High Exploit Risk (62.5/100): CVSS Medium severity, with high exploitation likelihood (EPSS 6.62%, 93th percentile). Core evidence: 3 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-2382

EDB-ID Source Kind Published Link
32675 exploit_db edb 2008-12-22 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-2382

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 21.40% 6.62% -14.79%
2 2026-02-13 20.26% 21.40% +1.15%
3 2026-02-01 20.26%

Full EPSS history (12 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-2382

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 2.9 [email protected]

Weakness enumeration for CVE-2008-2382

OS Trackers for CVE-2008-2382

vendor priority summary link
debian not yet assigned CVE-2008-2382 not yet assigned priority: Debian including 1 source packages (qemu), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2008-2382
redhat medium https://access.redhat.com/security/cve/CVE-2008-2382
suse medium CVE-2008-2382 severity moderate: SUSE including 247 source package names (kvm-0.12.3-0.11.1, kvm-0.15.1-0.17.3, …), 331 product×package rows across 26 product lines (SUSE Linux Enterprise Desktop 12, SUSE Linux Enterprise Desktop 12 SP1, … (26 product lines)): Fixed 331. https://www.suse.com/security/cve/CVE-2008-2382/
ubuntu low CVE-2008-2382 low priority: Ubuntu including 8 source packages (kvm, qemu, …), 87 status rows across 11 suites (dapper, gutsy, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): DNE 54, not-affected 17, needs-triage 8, ignored 6, released 2. https://ubuntu.com/security/CVE-2008-2382

Vendor comments (NVD) for CVE-2008-2382

  • Red Hat (2009-01-05T00:00:00)

    Not vulnerable. This issue did not affect the version of the Xen package as shipped with Red Hat Enterprise Linux 5.

Affected software / configurations for CVE-2008-2382

Vendor Product Version Raw CPE
qemu qemu <= 0.9.1 cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
qemu qemu 0.1.0 cpe:2.3:a:qemu:qemu:0.1.0:*:*:*:*:*:*:*
qemu qemu 0.1.1 cpe:2.3:a:qemu:qemu:0.1.1:*:*:*:*:*:*:*
qemu qemu 0.1.2 cpe:2.3:a:qemu:qemu:0.1.2:*:*:*:*:*:*:*
qemu qemu 0.1.3 cpe:2.3:a:qemu:qemu:0.1.3:*:*:*:*:*:*:*
qemu qemu 0.1.4 cpe:2.3:a:qemu:qemu:0.1.4:*:*:*:*:*:*:*
qemu qemu 0.1.5 cpe:2.3:a:qemu:qemu:0.1.5:*:*:*:*:*:*:*
qemu qemu 0.1.6 cpe:2.3:a:qemu:qemu:0.1.6:*:*:*:*:*:*:*
qemu qemu 0.2.0 cpe:2.3:a:qemu:qemu:0.2.0:*:*:*:*:*:*:*
qemu qemu 0.3.0 cpe:2.3:a:qemu:qemu:0.3.0:*:*:*:*:*:*:*
qemu qemu 0.4.0 cpe:2.3:a:qemu:qemu:0.4.0:*:*:*:*:*:*:*
qemu qemu 0.4.1 cpe:2.3:a:qemu:qemu:0.4.1:*:*:*:*:*:*:*
qemu qemu 0.4.2 cpe:2.3:a:qemu:qemu:0.4.2:*:*:*:*:*:*:*
qemu qemu 0.4.3 cpe:2.3:a:qemu:qemu:0.4.3:*:*:*:*:*:*:*
qemu qemu 0.5.0 cpe:2.3:a:qemu:qemu:0.5.0:*:*:*:*:*:*:*
qemu qemu 0.5.1 cpe:2.3:a:qemu:qemu:0.5.1:*:*:*:*:*:*:*
qemu qemu 0.5.2 cpe:2.3:a:qemu:qemu:0.5.2:*:*:*:*:*:*:*
qemu qemu 0.5.3 cpe:2.3:a:qemu:qemu:0.5.3:*:*:*:*:*:*:*
qemu qemu 0.5.4 cpe:2.3:a:qemu:qemu:0.5.4:*:*:*:*:*:*:*
qemu qemu 0.5.5 cpe:2.3:a:qemu:qemu:0.5.5:*:*:*:*:*:*:*
qemu qemu 0.6.0 cpe:2.3:a:qemu:qemu:0.6.0:*:*:*:*:*:*:*
qemu qemu 0.6.1 cpe:2.3:a:qemu:qemu:0.6.1:*:*:*:*:*:*:*
qemu qemu 0.7.0 cpe:2.3:a:qemu:qemu:0.7.0:*:*:*:*:*:*:*
qemu qemu 0.7.1 cpe:2.3:a:qemu:qemu:0.7.1:*:*:*:*:*:*:*
qemu qemu 0.7.2 cpe:2.3:a:qemu:qemu:0.7.2:*:*:*:*:*:*:*
qemu qemu 0.8.0 cpe:2.3:a:qemu:qemu:0.8.0:*:*:*:*:*:*:*
qemu qemu 0.8.1 cpe:2.3:a:qemu:qemu:0.8.1:*:*:*:*:*:*:*
qemu qemu 0.8.2 cpe:2.3:a:qemu:qemu:0.8.2:*:*:*:*:*:*:*
qemu qemu 0.9.0 cpe:2.3:a:qemu:qemu:0.9.0:*:*:*:*:*:*:*
kvm_qumranet kvm <= 79 cpe:2.3:a:kvm_qumranet:kvm:*:*:*:*:*:*:*:*
kvm_qumranet kvm 1 cpe:2.3:a:kvm_qumranet:kvm:1:*:*:*:*:*:*:*
kvm_qumranet kvm 2 cpe:2.3:a:kvm_qumranet:kvm:2:*:*:*:*:*:*:*
kvm_qumranet kvm 3 cpe:2.3:a:kvm_qumranet:kvm:3:*:*:*:*:*:*:*
kvm_qumranet kvm 4 cpe:2.3:a:kvm_qumranet:kvm:4:*:*:*:*:*:*:*
kvm_qumranet kvm 5 cpe:2.3:a:kvm_qumranet:kvm:5:*:*:*:*:*:*:*
kvm_qumranet kvm 6 cpe:2.3:a:kvm_qumranet:kvm:6:*:*:*:*:*:*:*
kvm_qumranet kvm 7 cpe:2.3:a:kvm_qumranet:kvm:7:*:*:*:*:*:*:*
kvm_qumranet kvm 8 cpe:2.3:a:kvm_qumranet:kvm:8:*:*:*:*:*:*:*
kvm_qumranet kvm 9 cpe:2.3:a:kvm_qumranet:kvm:9:*:*:*:*:*:*:*
kvm_qumranet kvm 10 cpe:2.3:a:kvm_qumranet:kvm:10:*:*:*:*:*:*:*
kvm_qumranet kvm 11 cpe:2.3:a:kvm_qumranet:kvm:11:*:*:*:*:*:*:*
kvm_qumranet kvm 12 cpe:2.3:a:kvm_qumranet:kvm:12:*:*:*:*:*:*:*
kvm_qumranet kvm 13 cpe:2.3:a:kvm_qumranet:kvm:13:*:*:*:*:*:*:*
kvm_qumranet kvm 14 cpe:2.3:a:kvm_qumranet:kvm:14:*:*:*:*:*:*:*
kvm_qumranet kvm 15 cpe:2.3:a:kvm_qumranet:kvm:15:*:*:*:*:*:*:*
kvm_qumranet kvm 16 cpe:2.3:a:kvm_qumranet:kvm:16:*:*:*:*:*:*:*
kvm_qumranet kvm 17 cpe:2.3:a:kvm_qumranet:kvm:17:*:*:*:*:*:*:*
kvm_qumranet kvm 18 cpe:2.3:a:kvm_qumranet:kvm:18:*:*:*:*:*:*:*
kvm_qumranet kvm 19 cpe:2.3:a:kvm_qumranet:kvm:19:*:*:*:*:*:*:*
kvm_qumranet kvm 20 cpe:2.3:a:kvm_qumranet:kvm:20:*:*:*:*:*:*:*
kvm_qumranet kvm 21 cpe:2.3:a:kvm_qumranet:kvm:21:*:*:*:*:*:*:*
kvm_qumranet kvm 22 cpe:2.3:a:kvm_qumranet:kvm:22:*:*:*:*:*:*:*
kvm_qumranet kvm 23 cpe:2.3:a:kvm_qumranet:kvm:23:*:*:*:*:*:*:*
kvm_qumranet kvm 24 cpe:2.3:a:kvm_qumranet:kvm:24:*:*:*:*:*:*:*
kvm_qumranet kvm 25 cpe:2.3:a:kvm_qumranet:kvm:25:*:*:*:*:*:*:*
kvm_qumranet kvm 26 cpe:2.3:a:kvm_qumranet:kvm:26:*:*:*:*:*:*:*
kvm_qumranet kvm 27 cpe:2.3:a:kvm_qumranet:kvm:27:*:*:*:*:*:*:*
kvm_qumranet kvm 28 cpe:2.3:a:kvm_qumranet:kvm:28:*:*:*:*:*:*:*
kvm_qumranet kvm 29 cpe:2.3:a:kvm_qumranet:kvm:29:*:*:*:*:*:*:*
kvm_qumranet kvm 30 cpe:2.3:a:kvm_qumranet:kvm:30:*:*:*:*:*:*:*
kvm_qumranet kvm 31 cpe:2.3:a:kvm_qumranet:kvm:31:*:*:*:*:*:*:*
kvm_qumranet kvm 32 cpe:2.3:a:kvm_qumranet:kvm:32:*:*:*:*:*:*:*
kvm_qumranet kvm 33 cpe:2.3:a:kvm_qumranet:kvm:33:*:*:*:*:*:*:*
kvm_qumranet kvm 34 cpe:2.3:a:kvm_qumranet:kvm:34:*:*:*:*:*:*:*
kvm_qumranet kvm 35 cpe:2.3:a:kvm_qumranet:kvm:35:*:*:*:*:*:*:*
kvm_qumranet kvm 36 cpe:2.3:a:kvm_qumranet:kvm:36:*:*:*:*:*:*:*
kvm_qumranet kvm 37 cpe:2.3:a:kvm_qumranet:kvm:37:*:*:*:*:*:*:*
kvm_qumranet kvm 38 cpe:2.3:a:kvm_qumranet:kvm:38:*:*:*:*:*:*:*
kvm_qumranet kvm 39 cpe:2.3:a:kvm_qumranet:kvm:39:*:*:*:*:*:*:*
kvm_qumranet kvm 40 cpe:2.3:a:kvm_qumranet:kvm:40:*:*:*:*:*:*:*
kvm_qumranet kvm 41 cpe:2.3:a:kvm_qumranet:kvm:41:*:*:*:*:*:*:*
kvm_qumranet kvm 42 cpe:2.3:a:kvm_qumranet:kvm:42:*:*:*:*:*:*:*
kvm_qumranet kvm 43 cpe:2.3:a:kvm_qumranet:kvm:43:*:*:*:*:*:*:*
kvm_qumranet kvm 44 cpe:2.3:a:kvm_qumranet:kvm:44:*:*:*:*:*:*:*
kvm_qumranet kvm 45 cpe:2.3:a:kvm_qumranet:kvm:45:*:*:*:*:*:*:*
kvm_qumranet kvm 46 cpe:2.3:a:kvm_qumranet:kvm:46:*:*:*:*:*:*:*
kvm_qumranet kvm 47 cpe:2.3:a:kvm_qumranet:kvm:47:*:*:*:*:*:*:*
kvm_qumranet kvm 48 cpe:2.3:a:kvm_qumranet:kvm:48:*:*:*:*:*:*:*
kvm_qumranet kvm 49 cpe:2.3:a:kvm_qumranet:kvm:49:*:*:*:*:*:*:*
kvm_qumranet kvm 50 cpe:2.3:a:kvm_qumranet:kvm:50:*:*:*:*:*:*:*

References for CVE-2008-2382

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
http://secunia.com/advisories/33293 Vendor Advisory
http://secunia.com/advisories/33303 Vendor Advisory
http://secunia.com/advisories/33350
http://secunia.com/advisories/33568
http://secunia.com/advisories/34642
http://secunia.com/advisories/35062
http://securityreason.com/securityalert/4803
http://securitytracker.com/id?1021488
http://securitytracker.com/id?1021489 Exploit
http://www.coresecurity.com/content/vnc-remote-dos
http://www.securityfocus.com/archive/1/499502/100/0/threaded
http://www.securityfocus.com/bid/32910 Exploit
http://www.ubuntu.com/usn/usn-776-1
http://www.vupen.com/english/advisories/2008/3488
http://www.vupen.com/english/advisories/2008/3489
https://exchange.xforce.ibmcloud.com/vulnerabilities/47561
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg01223.html
cvelogic Threat Intelligence