VENOM

☆ Save On Wikipedia ↗
VENOM
CVE identifierCVE-2015-3456
Date discovered2015
Date of public disclosureMay 13, 2015 (2015-05-13)
Date patchedMay 2015
DiscovererJason Geffner
Affected softwareQEMU; Xen; KVM; VirtualBox
Websitevenom.crowdstrike.com

VENOM (short for Virtualized Environment Neglected Operations Manipulation[1]) is a computer security flaw that was discovered in 2015 by Jason Geffner, then a security researcher at CrowdStrike.[2] The flaw was introduced in 2004 and affected versions of QEMU, Xen, KVM, and VirtualBox from that date until it was patched following disclosure.[3][4]

The existence of the vulnerability was due to a flaw in QEMU's virtual floppy disk controller.[5]

VENOM is registered in the Common Vulnerabilities and Exposures database as CVE-2015-3456.[6]

Background

QEMU is a widely used emulator and hypervisor that provides device emulation and virtualization for a variety of platforms and is reused by higher-level virtualization systems such as Xen and KVM.[7]

The VENOM vulnerability arose from a defect in QEMU's implementation of this FDC, which is used not only by standalone QEMU deployments but also by a range of virtualization platforms and cloud infrastructures that embed the relevant code.[7][8]

Discovery and disclosure

The vulnerability was discovered by Jason Geffner, a senior security researcher at CrowdStrike, during a security review of virtual machine hypervisors. CrowdStrike coordinated disclosure with QEMU maintainers and affected vendors, including the Xen Project and Linux distribution providers, before the issue was publicly announced.[9][8]

The vulnerability was disclosed publicly on 13 May 2015, together with a branded website and logo under the name "VENOM", and assigned the identifier CVE-2015-3456. Security advisories and updates were issued in quick succession by vendors such as Red Hat, SUSE, Oracle and IBM in the days following disclosure.[10][11][12]

References

  1. Richard A. Clarke; Robert K. Knake (2019). The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. Penguin. pp. 320–. ISBN 978-0-525-56197-2.
  2. "VENOM Vulnerability". Venom.crowdstrike.com. Archived from the original on May 13, 2015.
  3. Whittaker, Zack (May 13, 2015). "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters". ZDNet. Retrieved 11 November 2017.
  4. Dan Goodin (May 14, 2015). "Extremely serious virtual machine bug threatens cloud providers everywhere". Ars Technica. Retrieved 11 November 2017.
  5. Stone, Jeff (May 14, 2015). "Venom Security Flaw: Bug Exploits Floppy Drive, But Researchers Say Threat Overstated". International Business Times. IBT Media. Retrieved 11 November 2017.
  6. Marc Dacier; Michael Bailey; Michalis Polychronakis; Manos Antonakakis (2017). Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. Springer. pp. 422–. ISBN 978-3-319-66332-6.
  7. "TR-37 – VENOM / CVE-2015-3456 – Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation". Computer Incident Response Center Luxembourg. May 2015. Retrieved 23 November 2025.
  8. "CVE-2015-3456". Debian security tracker. Debian Project. Retrieved 23 November 2025.
  9. "CVE-2015-3456". Red Hat Customer Portal. Red Hat. Retrieved 23 November 2025.
  10. "CVE-2015-3456". SUSE security. SUSE. Retrieved 23 November 2025.
  11. "Oracle Security Alert for CVE-2015-3456 ("VENOM")". Oracle. 15 May 2015. Retrieved 23 November 2025.
  12. "Security Bulletin: Venom vulnerability affects IBM PureApplication System (CVE-2015-3456)". IBM Support. 27 May 2015. Retrieved 23 November 2025.