CVE-2016-4020: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain…

medium6.5CVSS 3.1

AVLACLPRLUINSCCHINAN

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

Affected

32 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	qemu	< qemu 1:2.6+dfsg-2 (bookworm)	qemu 1:2.6+dfsg-2 (bookworm)
qemu	qemu	<= 2.6.2	—
qemu	qemu	>= 0 < 1:2.6+dfsg-2	1:2.6+dfsg-2
qemu	qemu	>= 0 < 1:2.6+dfsg-2	1:2.6+dfsg-2
qemu	qemu	>= 0 < 1:2.6+dfsg-2	1:2.6+dfsg-2
qemu	qemu	>= 0 < 1:2.6+dfsg-2	1:2.6+dfsg-2
qemu	qemu	>= 0 < 2.0.0+dfsg-2ubuntu1.24	2.0.0+dfsg-2ubuntu1.24
qemu	qemu	>= 0 < 1:2.5+dfsg-5ubuntu10.1	1:2.5+dfsg-5ubuntu10.1
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_workstation	—	—

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

osv6.5MEDIUM