CVE-2014-0144

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.

Published: 2022-09-28 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2014-0144 is rated Moderate Risk (55.1/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.00%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-0144

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.64% 1.00% +0.36%
2 2025-12-16 1.10% 0.64% -0.46%
3 2025-12-14 1.10%

Full EPSS history (18 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-0144

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.6 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
1.8 6.0 [email protected]

Weakness enumeration for CVE-2014-0144

OS Trackers for CVE-2014-0144

vendor priority summary link
debian not yet assigned CVE-2014-0144 not yet assigned priority: Debian including 1 source packages (qemu), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2014-0144
gentoo high CVE-2014-0144: 1 GLSA(s) (201408-17), 1 atom(s) (app-emulation/qemu); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2014-0144
redhat medium https://access.redhat.com/security/cve/CVE-2014-0144
suse medium CVE-2014-0144 severity moderate: SUSE including 293 source package names (kvm, kvm-1.4.2-0.11.1, …), 1057 product×package rows across 75 product lines (HPE Helion OpenStack 8, SUSE CaaS Platform 4.5, … (75 product lines)): Known Not Affected 727, Fixed 330. https://www.suse.com/security/cve/CVE-2014-0144/
ubuntu medium CVE-2014-0144 medium priority: Ubuntu including 2 source packages (qemu, qemu-kvm), 12 status rows across 6 suites (lucid, precise, quantal, saucy, trusty, upstream): DNE 5, released 3, ignored 2, needs-triage 1, not-affected 1. https://ubuntu.com/security/CVE-2014-0144

Affected software / configurations for CVE-2014-0144

Vendor Product Version Raw CPE
qemu qemu < 2.0.0 cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
redhat virtualization 3.0 cpe:2.3:a:redhat:virtualization:3.0:*:*:*:*:*:*:*
redhat enterprise_linux_desktop 6.0 cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
redhat enterprise_linux_eus 6.5 cpe:2.3:o:redhat:enterprise_linux_eus:6.5:*:*:*:*:*:*:*
redhat enterprise_linux_openstack_platform 5 cpe:2.3:o:redhat:enterprise_linux_openstack_platform:5:*:*:*:*:*:*:*
redhat enterprise_linux_server 6.0 cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 6.5 cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 6.5 cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:*:*:*:*:*:*:*
redhat enterprise_linux_workstation 6.0 cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

References for CVE-2014-0144

URL Tags
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=24342f2cae47d03911e346fe1e520b00dc2818e0
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=2d51c32c4b511db8bb9e58208f1e2c25e4c06c85
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=5dab2faddc8eaa1fb1abdbe2f502001fc13a1b21
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=63fa06dc978f3669dbfd9443b33cde9e2a7f4b41
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=6d4b9e55fc625514a38d27cff4b9933f617fa7dc
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=7b103b36d6ef3b11827c203d3a793bf7da50ecd6
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=97f1c45c6f456572e5b504b8614e4a69e23b8e3a
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=a1b3955c9415b1e767c130a2f59fee6aa28e575b
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ce48f2f441ca98885267af6fd636a7cb804ee646
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=d65f97a82c4ed48374a764c769d4ba1ea9724e97
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=f56b9bc3ae20fc93815b34aa022be919941406ce
http://rhn.redhat.com/errata/RHSA-2014-0420.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0421.html Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1079240 Issue Tracking Patch Third Party Advisory
https://www.vulnerabilitycenter.com/#%21vul=44767
cvelogic Threat Intelligence