// For flags

CVE-2016-9603

Qemu: cirrus: heap buffer overflow via vnc connection

Severity Score

9.9
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

Se ha detectado una vulnerabilidad de desbordamiento de búfer basado en memoria dinámica (heap) en el soporte del controlador de pantalla VNC del emulador Cirrus CLGD 54xx VGA de QEMU en versiones anteriores a la 2.9. El problema podía ocurrir cuando un cliente VNC intentaba actualizar su pantalla después de que un invitado realizara una operación VGA. Un usuario/proceso privilegiado dentro de un guest podría usar esta vulnerabilidad para provocar que el proceso de QEMU se cierre inesperadamente o, potencialmente, ejecutar código arbitrario en el host con privilegios del proceso de QEMU.

A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Adjacent
Attack Complexity
Medium
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-23 CVE Reserved
  • 2017-04-18 CVE Published
  • 2024-07-06 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-122: Heap-based Buffer Overflow
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Qemu
Search vendor "Qemu"
Qemu
Search vendor "Qemu" for product "Qemu"
< 2.9.0
Search vendor "Qemu" for product "Qemu" and version " < 2.9.0"
-
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
6.0.2
Search vendor "Citrix" for product "Xenserver" and version "6.0.2"
-
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
6.2.0
Search vendor "Citrix" for product "Xenserver" and version "6.2.0"
sp1
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
6.5
Search vendor "Citrix" for product "Xenserver" and version "6.5"
sp1
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
7.0
Search vendor "Citrix" for product "Xenserver" and version "7.0"
-
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
7.1
Search vendor "Citrix" for product "Xenserver" and version "7.1"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
5.0
Search vendor "Redhat" for product "Openstack" and version "5.0"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
6.0
Search vendor "Redhat" for product "Openstack" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
7.0
Search vendor "Redhat" for product "Openstack" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
8
Search vendor "Redhat" for product "Openstack" and version "8"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
9
Search vendor "Redhat" for product "Openstack" and version "9"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
10
Search vendor "Redhat" for product "Openstack" and version "10"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
7.0
Search vendor "Debian" for product "Debian Linux" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
6.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
6.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
7.3
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.3"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
7.4
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Eus
Search vendor "Redhat" for product "Enterprise Linux Server Eus"
7.3
Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.3"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Eus
Search vendor "Redhat" for product "Enterprise Linux Server Eus"
7.4
Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Eus
Search vendor "Redhat" for product "Enterprise Linux Server Eus"
7.5
Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.5"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
6.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected