CVE-2016-9603

A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
ADJACENT_NETWORK
HIGH
LOW
CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
qemuqemu
𝑥
< 2.9.0
citrixxenserver
6.0.2
citrixxenserver
6.2.0:sp1
citrixxenserver
6.5:sp1
citrixxenserver
7.0
citrixxenserver
7.1
redhatopenstack
5.0
redhatopenstack
6.0
redhatopenstack
7.0
debiandebian_linux
7.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.3
redhatenterprise_linux_server_aus
7.4
redhatenterprise_linux_server_eus
7.3
redhatenterprise_linux_server_eus
7.4
redhatenterprise_linux_server_eus
7.5
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bookworm
1:7.2+dfsg-7+deb12u7
fixed
bullseye
1:5.2+dfsg-11+deb11u3
fixed
bullseye (security)
1:5.2+dfsg-11+deb11u2
fixed
sid
1:9.1.1+ds-2
fixed
trixie
1:9.1.1+ds-2
fixed
xen
bookworm
4.17.3+10-g091466ba55-1~deb12u1
fixed
bullseye
4.14.6-1
fixed
bullseye (security)
4.14.5+94-ge49571868d-1
fixed
sid
4.17.3+36-g54dacb5c02-1
fixed
trixie
4.17.3+36-g54dacb5c02-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
precise
dne
trusty
Fixed 2.0.0+dfsg-2ubuntu1.33
released
xenial
Fixed 1:2.5+dfsg-5ubuntu10.11
released
yakkety
Fixed 1:2.6.1+dfsg-0ubuntu5.4
released
zesty
Fixed 1:2.8+dfsg-3ubuntu2.1
released
qemu-kvm
precise
not-affected
trusty
dne
xenial
dne
yakkety
dne
zesty
dne
xen
precise
ignored
trusty
Fixed 4.4.2-0ubuntu0.14.04.11
released
xenial
not-affected
yakkety
not-affected
zesty
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
qemu
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-arm
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-block-curl
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-block-rbd
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-block-ssh
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-guest-agent
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-ipxe
suse enterprise sap 12 SP2
1.0.0-41.16.1
fixed
suse enterprise server 12
1.0.0-48.34.3
fixed
suse enterprise server 12 SP1
1.0.0-33.3.3
fixed
suse enterprise server 12 SP2
1.0.0-41.16.1
fixed
qemu-kvm
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-lang
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-ppc
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-s390
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-seabios
suse enterprise sap 12 SP2
1.9.1-41.16.1
fixed
suse enterprise server 12
1.7.4-48.34.3
fixed
suse enterprise server 12 SP1
1.8.1-33.3.3
fixed
suse enterprise server 12 SP2
1.9.1-41.16.1
fixed
qemu-sgabios-8
suse enterprise sap 12 SP2
41.16.1
fixed
suse enterprise server 12
48.34.3
fixed
suse enterprise server 12 SP1
33.3.3
fixed
suse enterprise server 12 SP2
41.16.1
fixed
qemu-tools
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
qemu-vgabios
suse enterprise sap 12 SP2
1.9.1-41.16.1
fixed
suse enterprise server 12
1.7.4-48.34.3
fixed
suse enterprise server 12 SP1
1.8.1-33.3.3
fixed
suse enterprise server 12 SP2
1.9.1-41.16.1
fixed
qemu-x86
suse enterprise sap 12 SP2
2.6.2-41.16.1
fixed
suse enterprise server 12
2.0.2-48.34.3
fixed
suse enterprise server 12 SP1
2.3.1-33.3.3
fixed
suse enterprise server 12 SP2
2.6.2-41.16.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
qemu-guest-agent
RHEL 6
2:0.12.1.2-2.503.el6_9.3
fixed
qemu-img
RHEL 6
2:0.12.1.2-2.503.el6_9.3
fixed
RHEL 7
10:1.5.3-126.el7_3.6
fixed
qemu-kvm
RHEL 6
2:0.12.1.2-2.503.el6_9.3
fixed
RHEL 7
10:1.5.3-126.el7_3.6
fixed
qemu-kvm-common
RHEL 7
10:1.5.3-126.el7_3.6
fixed
qemu-kvm-tools
RHEL 6
2:0.12.1.2-2.503.el6_9.3
fixed
RHEL 7
10:1.5.3-126.el7_3.6
fixed
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/96893
http://www.securitytracker.com/id/1038023
https://access.redhat.com/errata/RHSA-2017:0980
https://access.redhat.com/errata/RHSA-2017:0981
https://access.redhat.com/errata/RHSA-2017:0982
https://access.redhat.com/errata/RHSA-2017:0983
https://access.redhat.com/errata/RHSA-2017:0984
https://access.redhat.com/errata/RHSA-2017:0985
https://access.redhat.com/errata/RHSA-2017:0987
https://access.redhat.com/errata/RHSA-2017:0988
https://access.redhat.com/errata/RHSA-2017:1205
https://access.redhat.com/errata/RHSA-2017:1206
https://access.redhat.com/errata/RHSA-2017:1441
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9603
https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html
https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
https://security.gentoo.org/glsa/201706-03
https://support.citrix.com/article/CTX221578
http://www.securityfocus.com/bid/96893
http://www.securitytracker.com/id/1038023
https://access.redhat.com/errata/RHSA-2017:0980
https://access.redhat.com/errata/RHSA-2017:0981
https://access.redhat.com/errata/RHSA-2017:0982
https://access.redhat.com/errata/RHSA-2017:0983
https://access.redhat.com/errata/RHSA-2017:0984
https://access.redhat.com/errata/RHSA-2017:0985
https://access.redhat.com/errata/RHSA-2017:0987
https://access.redhat.com/errata/RHSA-2017:0988
https://access.redhat.com/errata/RHSA-2017:1205
https://access.redhat.com/errata/RHSA-2017:1206
https://access.redhat.com/errata/RHSA-2017:1441
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9603
https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html
https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
https://security.gentoo.org/glsa/201706-03
https://support.citrix.com/article/CTX221578