Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2016-9907

Published: 23 December 2016

Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Not vulnerable

upstream Needs triage

xenial
Released (1:2.5+dfsg-5ubuntu10.11)
yakkety
Released (1:2.6.1+dfsg-0ubuntu5.4)
zesty Not vulnerable
(1:2.8+dfsg-3ubuntu2)
Patches:
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=07b026fd82d6cf11baf7d7c603c4f5f6070b35bf
qemu-kvm
Launchpad, Ubuntu, Debian
precise Not vulnerable

trusty Does not exist

upstream Needs triage

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Changed
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H