CVE-2016-9908 — Sensitive Information Exposure in Qemu

CWE-200 — Sensitive Information Exposure10 documents7 sources

Severity

3.3LOWNVD

OSV5.5

EPSS

0.1%

top 77.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedDec 23

Latest updateMay 13

Description

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/qemu< qemu 1:2.8+dfsg-1 (bookworm)

▶Debianqemu/qemu< 1:2.8+dfsg-1+3

▶Ubuntuqemu/qemu< 2.0.0+dfsg-2ubuntu1.33+1

▶NVDqemu/qemu2.8.1.1

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-cvx8-qmxw-w79f: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue↗2022-05-13

▶

OSV

qemu vulnerabilities↗2017-04-20

▶

OSV

CVE-2016-9908: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue↗2016-12-23

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2017-04-25

▶

Ubuntu

QEMU vulnerabilities↗2017-04-20

▶

Red Hat

Qemu: display: virtio-gpu: information leakage in virgl_cmd_get_capset↗2016-11-01

▶

Debian

CVE-2016-9908: qemu - Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulne...↗2016

▶

💬Community

Bugzilla

CVE-2016-9908 Qemu: display: virtio-gpu: information leakage in virgl_cmd_get_capset [fedora-all]↗2016-12-07

▶

Bugzilla

CVE-2016-9908 Qemu: display: virtio-gpu: information leakage in virgl_cmd_get_capset↗2016-12-07

▶