View at Official debian advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2023-2861 not yet assigned priority: Debian including 1 source packages (qemu), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1.
A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder.