Main Vulnerability Database Vulnerabilities #VU39963

Information disclosure in QEMU - CVE-2016-9908

Published: December 24, 2016 / Updated: August 9, 2020

Vulnerability identifier: #VU39963

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-9908

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: QEMU

Affected software:
QEMU

Detailed vulnerability description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

How to mitigate CVE-2016-9908

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2016/12/08/4
http://www.securityfocus.com/bid/94761
https://security.gentoo.org/glsa/201701-49

Information disclosure in QEMU - CVE-2016-9908

Detailed vulnerability description

How to mitigate CVE-2016-9908

Sources

Please verify you're human