CVE-2016-4020 — Sensitive Information Exposure in Qemu

CWE-200 — Sensitive Information Exposure9 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 75.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Canonical Ubuntu Linux Debian Linux +8 more

Timeline

PublishedMay 25

Latest updateMay 13

Description

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages7 packages

▶Debianqemu/qemu< 1:2.6+dfsg-2+3

▶NVDqemu/qemu2.6.2

▶NVDredhat/openstack6 versions+5

▶NVDredhat/virtualization4.0

▶NVDredhat/enterprise_linux_server7.0

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.10, 16.04, Enterprise Linux 7.4, 7.5, 7.6, 7.7

Patches

Patch: lists.gnu.org ↗Patch: lists.gnu.org ↗Patch: lists.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-vcqr-cc8h-57gj: The patch_instruction function in hw/i386/kvmvapic↗2022-05-13

▶

OSV

CVE-2016-4020: The patch_instruction function in hw/i386/kvmvapic↗2016-05-25

▶

CVEList

CVE-2016-4020: The patch_instruction function in hw/i386/kvmvapic↗2016-05-25

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2016-05-12

▶

Red Hat

Qemu: i386: leakage of stack memory to guest in kvmvapic.c↗2016-04-07

▶

Debian

CVE-2016-4020: qemu - The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize...↗2016

▶

💬Community

Bugzilla

CVE-2016-4020 qemu: qemu-kvm: Leakage of stack memory to guest in kvmvapic.c [fedora-all]↗2016-04-13

▶

Bugzilla

CVE-2016-4020 Qemu: i386: leakage of stack memory to guest in kvmvapic.c↗2016-03-02

▶