VENOM

VENOM is a computer security flaw that was discovered in 2015 by Jason Geffner, then a security researcher at CrowdStrike. The flaw was introduced in 2004 and affected versions of QEMU, Xen, KVM, and VirtualBox from that date until it was patched following disclosure.
The existence of the vulnerability was due to a flaw in QEMU's virtual floppy disk controller.
VENOM is registered in the Common Vulnerabilities and Exposures database as.

Background

QEMU is a widely used emulator and hypervisor that provides device emulation and virtualization for a variety of platforms and is reused by higher-level virtualization systems such as Xen and KVM.
The VENOM vulnerability arose from a defect in QEMU's implementation of this FDC, which is used not only by standalone QEMU deployments but also by a range of virtualization platforms and cloud infrastructures that embed the relevant code.

Discovery and disclosure

The vulnerability was discovered by Jason Geffner, a senior security researcher at CrowdStrike, during a security review of virtual machine hypervisors. CrowdStrike coordinated disclosure with QEMU maintainers and affected vendors, including the Xen Project and Linux distribution providers, before the issue was publicly announced.
The vulnerability was disclosed publicly on 13 May 2015, together with a branded website and logo under the name "VENOM", and assigned the identifier CVE-2015-3456. Security advisories and updates were issued in quick succession by vendors such as Red Hat, SUSE, Oracle and IBM in the days following disclosure.