qemu-img

by cloudbasev2.3.0

Last updated Jun 8, 2026

QEMU disk image utility for Windows

Install with winget

$ winget install --id cloudbase.qemu-img --exact --version 2.3.0

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

It is used for converting, creating, and consistency checking of various virtual disk formats. It is compatible with Hyper-V, KVM, VMware, VirtualBox, and Xen virtualization solutions. This build has been optimized for Windows Server (x64).

Installers · v2.3.0

Architecture	Type	Scope	Install	Download
x64	ZIP archive	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

medium4.2Fix availableCVE-2025-54567affects <=10.0.3Jul 24, 2025
hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327.
Patch
medium4.2Fix availableCVE-2025-54566affects <=10.0.3Jul 24, 2025
hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327.
high7.4Fix in v9.1.0CVE-2024-7730affects before 9.1.0Nov 14, 2024
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of th...
medium6.0Fix in v7.2.11CVE-2024-3447affects before 7.2.11, 8.2.3Nov 14, 2024
A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on...
Vendor advisory
high8.2Patched in wingetCVE-2024-6519Oct 21, 2024
A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.
medium5.5Patched in wingetCVE-2024-8354Sep 19, 2024
A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of ser...
Vendor advisory
medium6.8Patched in wingetCVE-2024-6505Jul 5, 2024
A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap ov...
medium5.5Patched in wingetCVE-2024-3567affects before 8.2.3Apr 10, 2024
A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condi...
Vendor advisory

Showing 8 of 25. Source: NVD, updated just now. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

BlueStacksnow.gg, Inc.
BlueStack.BlueStacksv5.22.166.1003
Play Android games on PC or try instantly from our cloud.
Spice webdavdThe Spice Project
Spice.SpiceWebDAVdv2.4.0
SPICE file sharing daemon for Windows guest virtual machines.
C
cv4pve-botgramCorsinvest Srl
Corsinvest.cv4pve.botgramv1.9.0
Telegram Bot for Proxmox VE management
BochsThe Bochs Project
Bochs.Bochsv3.0
Cross Platform x86 Emulator Project
QEMUQEMU Community
SoftwareFreedomConservancy.QEMUv11.0.50
A generic and open source machine emulator and virtualizer.
L
LimaLima-VM
Lima.Limav2.1.1
Linux virtual machines, with a focus on running containers.

Frequently asked questions

How do I install qemu-img on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id cloudbase.qemu-img --exact --version 2.3.0. winget downloads the installer from cloudbase and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install qemu-img silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id cloudbase.qemu-img --exact 2.3.0 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall qemu-img via winget?

Run: winget uninstall --id cloudbase.qemu-img --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from qemu-img's Apps & Features entry.

Is qemu-img free?

qemu-img is distributed under GPL-2.0. Refer to the publisher (https://github.com/cloudbase/qemu) for the full license terms - Wingetly itself does not charge for installation.

Does qemu-img work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls qemu-img directly from the publisher.

How do I keep qemu-img up to date?

Run winget upgrade --id cloudbase.qemu-img --exact, or winget upgrade --all to update everything winget tracks. We index 1 version of qemu-img from microsoft/winget-pkgs.