CVE-2016-9845 — Sensitive Information Exposure in Qemu

CWE-200 — Sensitive Information Exposure10 documents7 sources

Severity

6.5MEDIUMNVD

OSV5.5

EPSS

0.1%

top 73.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedDec 29

Latest updateMay 13

Description

QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages4 packages

▶NVDqemu/qemu< 2.8.0+1

▶debiandebian/qemu< qemu 1:2.8+dfsg-1 (bookworm)

▶Debianqemu/qemu< 1:2.8+dfsg-1+3

▶Ubuntuqemu/qemu< 2.0.0+dfsg-2ubuntu1.33+1

Patches

Patch: lists.nongnu.org ↗Patch: lists.nongnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-4q8m-h7mw-rppj: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue↗2022-05-13

▶

OSV

qemu vulnerabilities↗2017-04-20

▶

OSV

CVE-2016-9845: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue↗2016-12-29

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2017-04-20

▶

Red Hat

Qemu: display: virtio-gpu-3d: information leakage in virgl_cmd_get_capset_info↗2016-11-01

▶

Debian

CVE-2016-9845: qemu - QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is v...↗2016

▶

💬Community

Bugzilla

CVE-2016-9845 Qemu: display: virtio-gpu-3d: information leakage in virgl_cmd_get_capset_info [fedora-all]↗2016-12-07

▶

Bugzilla

CVE-2016-9845 Qemu: display: virtio-gpu-3d: information leakage in virgl_cmd_get_capset_info↗2016-12-07

▶

Bugzilla

CVE-2014-9845 ImageMagick: crash due to corrupted dib file↗2016-06-07

▶