CVE-2016-5403
Published: 02 August 2016
The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.
Priority
CVSS 3 base score: 5.5
Status
Package | Release | Status |
---|---|---|
qemu Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1:2.5+dfsg-5ubuntu10.6)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.0.0+dfsg-2ubuntu1.30)
|
|
Patches: Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=afd9096eb1882f23929f5b5c177898ed231bac66 Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=bccdef6b1a204db0f41ffb6e24ce373e4d7890d4 Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=58a83c61496eeb0d31571a07a51bc1947e3379ac Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=4b7f91ed0270a371e1933efa21ba600b6da23ab9 Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=104e70cae78bd4afd95d948c6aff188f10508a9c |
||
qemu-kvm Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
xen Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(uses system qemu)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [4.4.2-0ubuntu0.14.04.7])
|
|
Binaries built from this source package are in Universe and so are supported by the community. |
Notes
Author | Note |
---|---|
mdeslaur | the patch for this CVE introduced a regression and was later reverted pending investigation. See LP: #1612089. proposed regression fixes: http://lists.nongnu.org/archive/html/qemu-devel/2016-08/msg01038.html http://lists.nongnu.org/archive/html/qemu-devel/2016-08/msg02666.html |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5403
- https://usn.ubuntu.com/usn/usn-3047-1
- https://usn.ubuntu.com/usn/usn-3047-2/
- https://usn.ubuntu.com/usn/usn-3125-1
- NVD
- Launchpad
- Debian