CVE-2016-9911

Description

Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 4.9AV:L/AC:L/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 0.15%• Percentile: 36%

Techniques & Countermeasures

• CWE-772•Missing Release of Resource after Effective Lifetime

  The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Affected Systems

• debian•debian_linux

  8.0

• qemu•qemu

  ≤ 2.7.1

• redhat•openstack

  6.0 | 7.0 | 8 | 9 | 10 | 11

• redhat•virtualization

  4.0

References (6)

• https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
• http://www.securityfocus.com/bid/94762
• https://access.redhat.com/errata/RHSA-2017:2392
• https://security.gentoo.org/glsa/201701-49
• https://access.redhat.com/errata/RHSA-2017:2408
• http://www.openwall.com/lists/oss-security/2016/12/08/5