CVE-2016-4020

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
VendorProductVersion
qemuqemu
𝑥
≤ 2.6.2
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.10
canonicalubuntu_linux
16.04
debiandebian_linux
8.0
redhatopenstack
6.0
redhatopenstack
7.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_eus
7.4
redhatenterprise_linux_eus
7.5
redhatenterprise_linux_eus
7.6
redhatenterprise_linux_eus
7.7
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.4
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_workstation
7.0
redhatvirtualization
4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bullseye
1:5.2+dfsg-11+deb11u3
fixed
bullseye (security)
1:5.2+dfsg-11+deb11u2
fixed
bookworm
1:7.2+dfsg-7+deb12u7
fixed
sid
1:9.1.1+ds-2
fixed
trixie
1:9.1.1+ds-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
xenial
Fixed 1:2.5+dfsg-5ubuntu10.1
released
wily
Fixed 1:2.3+dfsg-5ubuntu9.4
released
trusty
Fixed 2.0.0+dfsg-2ubuntu1.24
released
precise
dne
qemu-kvm
xenial
dne
wily
dne
trusty
dne
precise
not-affected
References
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=691a02e2ce0c413236a78dee6f2651c937b09fb0
http://www.securityfocus.com/bid/86067
http://www.ubuntu.com/usn/USN-2974-1
https://access.redhat.com/errata/RHSA-2017:1856
https://access.redhat.com/errata/RHSA-2017:2392
https://access.redhat.com/errata/RHSA-2017:2408
https://bugzilla.redhat.com/show_bug.cgi?id=1313686
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01118.html
https://security.gentoo.org/glsa/201609-01
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=691a02e2ce0c413236a78dee6f2651c937b09fb0
http://www.securityfocus.com/bid/86067
http://www.ubuntu.com/usn/USN-2974-1
https://access.redhat.com/errata/RHSA-2017:1856
https://access.redhat.com/errata/RHSA-2017:2392
https://access.redhat.com/errata/RHSA-2017:2408
https://bugzilla.redhat.com/show_bug.cgi?id=1313686
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01118.html
https://security.gentoo.org/glsa/201609-01