CVE-2016-9603 — MEDIUM (5.5)

Q: How severe is CVE-2016-9603?

CVE-2016-9603 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-9603?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Citrix Xenserver, Redhat Openstack, Debian Debian Linux, Redhat Enterprise Linux Desktop.

Vulnerability Description

A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

CVSS Score

5.5

MEDIUM

CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Qemu	Qemu	< 2.9.0
Citrix	Xenserver	6.0.2
Redhat	Openstack	5.0
Debian	Debian Linux	7.0
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.3
Redhat	Enterprise Linux Server Eus	7.3
Redhat	Enterprise Linux Workstation	6.0

Related Weaknesses (CWE)

CWE-122 CWE-119

References

http://www.securityfocus.com/bid/96893Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038023Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:0980Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0981Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0982Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0983Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0984Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0985Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0987Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0988Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1205Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1206Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1441Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9603Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/02/msg00005.htmlThird Party Advisory

FAQ

What is CVE-2016-9603?

CVE-2016-9603 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a V...

How severe is CVE-2016-9603?

CVE-2016-9603 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9603?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Citrix Xenserver, Redhat Openstack, Debian Debian Linux, Redhat Enterprise Linux Desktop.