QEMU vulnerabilities: known CVEs & security history
QEMU · Virtualization · 421 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all QEMU release lines — 421 in total. A CVE here doesn't mean your version is affected — check QEMU's current status and the safe version to run.
Known QEMU CVEs
Actively-exploited and most-severe first. Showing the top 80 of 421. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2022-36648 | critical | 10 | 1% | 2023 |
| CVE-2017-16845 | critical | 10 | 3% | 2017 |
| CVE-2015-8556 | critical | 10 | 13% | 2017 |
| CVE-2009-3616 | critical | 9.9 | 4% | 2009 |
| CVE-2019-12929 | critical | 9.8 | 5% | 2019 |
| CVE-2019-12928 | critical | 9.8 | 23% | 2019 |
| CVE-2018-20815 | critical | 9.8 | 4% | 2019 |
| CVE-2018-17963 | critical | 9.8 | 5% | 2018 |
| CVE-2017-8380 | critical | 9.8 | 4% | 2017 |
| CVE-2016-7161 | critical | 9.8 | 6% | 2016 |
| CVE-2016-4002 | critical | 9.8 | 6% | 2016 |
| CVE-2017-7471 | critical | 9 | 1% | 2018 |
| CVE-2015-7512 | critical | 9 | 8% | 2016 |
| CVE-2012-6075 | high | 9.3 | 5% | 2013 |
| CVE-2024-24474 | high | 8.8 | 1% | 2024 |
| CVE-2020-24165 | high | 8.8 | 1% | 2023 |
| CVE-2022-35414 | high | 8.8 | 1% | 2022 |
| CVE-2022-1050 | high | 8.8 | 0% | 2022 |
| CVE-2013-4535 | high | 8.8 | 1% | 2020 |
| CVE-2018-7550 | high | 8.8 | 1% | 2018 |
| CVE-2015-7504 | high | 8.8 | 1% | 2017 |
| CVE-2017-14167 | high | 8.8 | 1% | 2017 |
| CVE-2017-5931 | high | 8.8 | 1% | 2017 |
| CVE-2016-3710 | high | 8.8 | 1% | 2016 |
| CVE-2016-1568 | high | 8.8 | 1% | 2016 |
| CVE-2022-3872 | high | 8.6 | 1% | 2022 |
| CVE-2014-0144 | high | 8.6 | 1% | 2022 |
| CVE-2016-4001 | high | 8.6 | 5% | 2016 |
| CVE-2015-1779 | high | 8.6 | 7% | 2016 |
| CVE-2021-3682 | high | 8.5 | 3% | 2021 |
| CVE-2016-2857 | high | 8.4 | 1% | 2016 |
| CVE-2017-15118 | high | 8.3 | 12% | 2018 |
| CVE-2024-6519 | high | 8.2 | 0% | 2024 |
| CVE-2021-3929 | high | 8.2 | 1% | 2022 |
| CVE-2021-3750 | high | 8.2 | 1% | 2022 |
| CVE-2021-4207 | high | 8.2 | 0% | 2022 |
| CVE-2021-4206 | high | 8.2 | 1% | 2022 |
| CVE-2021-3546 | high | 8.2 | 0% | 2021 |
| CVE-2020-35517 | high | 8.2 | 1% | 2021 |
| CVE-2018-11806 | high | 8.2 | 1% | 2018 |
| CVE-2016-1714 | high | 8.1 | 6% | 2016 |
| CVE-2015-8666 | high | 7.9 | 0% | 2017 |
| CVE-2023-0664 | high | 7.8 | 0% | 2023 |
| CVE-2022-2962 | high | 7.8 | 0% | 2022 |
| CVE-2022-0358 | high | 7.8 | 0% | 2022 |
| CVE-2013-4536 | high | 7.8 | 0% | 2021 |
| CVE-2013-4532 | high | 7.8 | 0% | 2020 |
| CVE-2013-2016 | high | 7.8 | 1% | 2019 |
| CVE-2019-13164 | high | 7.8 | 1% | 2019 |
| CVE-2019-6778 | high | 7.8 | 1% | 2019 |
| CVE-2018-16867 | high | 7.8 | 0% | 2018 |
| CVE-2018-16847 | high | 7.8 | 1% | 2018 |
| CVE-2014-0145 | high | 7.8 | 1% | 2017 |
| CVE-2017-7980 | high | 7.8 | 1% | 2017 |
| CVE-2017-7493 | high | 7.8 | 0% | 2017 |
| CVE-2016-5338 | high | 7.8 | 1% | 2016 |
| CVE-2016-5126 | high | 7.8 | 1% | 2016 |
| CVE-2010-0741 | high | 7.8 | 4% | 2010 |
| CVE-2008-5714 | high | 7.8 | 2% | 2008 |
| CVE-2020-1711 | high | 7.7 | 4% | 2020 |
| CVE-2015-8567 | high | 7.7 | 6% | 2017 |
| CVE-2015-3456 | high | 7.7 | 15% | 2015 |
| CVE-2016-9602 | high | 7.6 | 4% | 2018 |
| CVE-2023-2680 | high | 7.5 | 0% | 2023 |
| CVE-2023-3354 | high | 7.5 | 1% | 2023 |
| CVE-2021-3748 | high | 7.5 | 1% | 2022 |
| CVE-2022-26353 | high | 7.5 | 3% | 2022 |
| CVE-2021-20181 | high | 7.5 | 0% | 2021 |
| CVE-2020-7211 | high | 7.5 | 4% | 2020 |
| CVE-2019-20175 | high | 7.5 | 3% | 2019 |
| CVE-2019-15890 | high | 7.5 | 4% | 2019 |
| CVE-2019-12155 | high | 7.5 | 6% | 2019 |
| CVE-2019-12247 | high | 7.5 | 3% | 2019 |
| CVE-2019-5008 | high | 7.5 | 3% | 2019 |
| CVE-2018-20191 | high | 7.5 | 4% | 2018 |
| CVE-2018-20216 | high | 7.5 | 4% | 2018 |
| CVE-2018-20125 | high | 7.5 | 4% | 2018 |
| CVE-2018-17962 | high | 7.5 | 5% | 2018 |
| CVE-2018-17958 | high | 7.5 | 6% | 2018 |
| CVE-2018-12617 | high | 7.5 | 25% | 2018 |
341 older / lower-severity CVEs not shown — see QEMU's full record.
Is my QEMU version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your QEMU version → · Monitor QEMU for new CVEs →
QEMU vulnerabilities — frequently asked
How many known vulnerabilities does QEMU have?
IsItPatched tracks 421 CVEs for QEMU. 13 are critical-severity and 123 high-severity. These span every release line — what matters is whether the version you run is affected.
Does QEMU have any actively-exploited vulnerabilities?
None of QEMU's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe QEMU vulnerability?
Among tracked issues, CVE-2022-36648 (CRITICAL, CVSS 10) ranks highest — a CWE-476 weakness.
Is QEMU safe to use?
It depends on the version. The latest supported QEMU release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: QEMU security status · QEMU end-of-life · actively-exploited CVEs. Always verify against QEMU's advisories — see our disclaimer.