Skip to main content
  1. Blog
  2. Article

Robbie
on 13 May 2015

Ubuntu Security Update on VENOM (CVE-2015-3456) [UPDATED]


A buffer overflow in the virtual floppy disk controller of QEMU has been discovered. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host’s QEMU process.

This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes OpenStack’s use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment’s attack surface.

A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that qemu-kvm 1.0+noroms-0ubuntu14.22 (Ubuntu 12.04 LTS), qemu 2.0.0+dfsg-2ubuntu1.11 (Ubuntu 14.04 LTS), qemu 2.1+dfsg-4ubuntu6.6 (Ubuntu 14.10), qemu 1:2.2+dfsg-5expubuntu9.1 (Ubuntu 15.04) are installed.

For reference, the Ubuntu Security Notices website is the best place to find information on security updates and the affected supported releases of Ubuntu.  Users can get notifications via email and RSS feeds from the USN site, as well as access the Ubuntu CVE Tracker.

Related posts


Lidia Luna Puerta
17 July 2026

Tracing a memory leak bug in PID 1 and contributing an upstream fix: a Linux support story

Ubuntu Article

How Canonical Support helped a global retail organization trace the cause for an unusual memory leak originating in PID 1. By investigating the issue across three separate system layers our team was able to identify the source and fast-track a patch. ...


David Beamonte
14 July 2026

MAAS installation: bare metal provisioning is easier than ever

MAAS Ubuntu tech blog

MAAS brings cloud-like automation to physical servers. It helps teams discover, commission, deploy, and repurpose machines from a central control plane, turning bare metal into a programmable resource. But to experience that value, users first need to get MAAS up and running. That path is now cleaner and easier to follow. We’ve created ne ...


seth-arnold
11 July 2026

Januscape vulnerability CVE-2026-53359 mitigations available

Ubuntu Article

Introduction A local privilege escalation (LPE) vulnerability affecting the Linux kernel was publicly disclosed on July 6, 2026. The vulnerability was assigned CVE ID CVE-2026-53359 and is referred to as Januscape. This vulnerability affects all Ubuntu releases. Neither NVD nor Kernel.org have published their own CVSS scores for this issu ...