Main Vulnerability Database Vulnerabilities #VU32193

Information disclosure in Xen - CVE-2016-9932

Published: January 26, 2017 / Updated: July 28, 2020

Vulnerability identifier: #VU32193

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-9932

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Xen Project

Affected software:
Xen

Detailed vulnerability description

The vulnerability allows a local authenticated user to gain access to sensitive information.

CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix.

How to mitigate CVE-2016-9932

Install update from vendor's website.

Sources

http://www.debian.org/security/2017/dsa-3847
http://www.securityfocus.com/bid/94863
http://www.securitytracker.com/id/1037468
http://xenbits.xen.org/xsa/advisory-200.html
https://security.gentoo.org/glsa/201612-56
https://support.citrix.com/article/CTX219378

Information disclosure in Xen - CVE-2016-9932

Detailed vulnerability description

How to mitigate CVE-2016-9932

Sources

Please verify you're human