CVE-2016-4020

MEDIUM

QEMU < 2.6.2 - Information Disclosure via Uninitialized TPR Register

Title source: llm
STIX 2.1

Description

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

References (11)

Core 11
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1313686
Patch, Third Party Advisory mailing-list x_refsource_mlist
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/86067
Patch, Third Party Advisory mailing-list x_refsource_mlist
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01118.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2392
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201609-01
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2974-1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2408
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1856

Scores

CVSS v3 6.5
EPSS 0.0008
EPSS Percentile 24.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

Status published
Products (25)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.10
canonical/ubuntu_linux 16.04
debian/debian_linux 8.0
qemu/qemu < 2.6.2
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_eus 7.4
redhat/enterprise_linux_eus 7.5
redhat/enterprise_linux_eus 7.6
... and 15 more
Published May 25, 2016
Tracked Since Feb 18, 2026