CVE-2016-9911Missing Release of Resource after Effective Lifetime in Qemu

CWE-772Missing Release of Resource after Effective LifetimeCWE-244Heap Inspection11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 63.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
QemuDebian LinuxRedhat Openstack+1 more
Timeline
PublishedDec 23
Latest updateMay 13

Description

Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages4 packages

Debianqemu/qemu< 1:2.8+dfsg-1+3
NVDqemu/qemu2.7.1
NVDredhat/openstack6 versions+5

Also affects: Debian Linux 8.0

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

3
GHSA
GHSA-hq78-7w28-92xm: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue2022-05-13
OSV
CVE-2016-9911: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue2016-12-23
CVEList
CVE-2016-9911: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue2016-12-23

📋Vendor Advisories

3
Ubuntu
QEMU vulnerabilities2017-04-20
Red Hat
Qemu: usb: ehci: memory leakage in ehci_init_transfer2016-11-08
Debian
CVE-2016-9911: qemu - Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to...2016

💬Community

4
Bugzilla
CVE-2016-9911 Qemu: usb: ehci: memory leakage in ehci_init_transfer2016-12-07
Bugzilla
CVE-2016-9911 Qemu: usb: ehci: memory leakage in ehci_init_transfer [fedora-all]2016-12-07
Bugzilla
CVE-2014-9912 php: stack buffer overflow in locale_get_display_name2016-11-29
Bugzilla
CVE-2014-9911 icu: stack-based buffer overflow in uloc_getDisplayName2016-10-11
CVE-2016-9911 — Qemu vulnerability | cvebase