CVE-2014-0149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0149): Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data.
Hm, what happened here? The CVE description is now, "Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Web Framework Kit 2.5.0 allow remote attackers to inject arbitrary web script or HTML via a (1) parameter or (2) id name."
I see what happened (thanks ionen!), the CVE is typo'd. CVE-2014-0049: "Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data." Fix in 3.14, https://github.com/torvalds/linux/commit/a08d3b3b99efd509133946056531cdf8f3a0c09b
