What is CVE-2016-1568?

CVE-2016-1568 is a use-after-free vulnerability in QEMU's IDE AHCI Emulation support.

How does CVE-2016-1568 affect QEMU?

CVE-2016-1568 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

What is the severity of CVE-2016-1568?

CVE-2016-1568 has a severity rating of high (7).

Which software versions are affected by CVE-2016-1568?

QEMU versions 2.0.0+dfsg-2ubuntu1.22, 1:2.3+dfsg-5ubuntu9.2, 1.0+, and Debian versions 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u10, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u1, 1:8.0.4+dfsg-3, 1:8.1.0+ds-6 are affected.

How do I fix CVE-2016-1568?

To fix CVE-2016-1568, update to QEMU version 2.0.0+dfsg-2ubuntu1.22 (for Ubuntu), 1:2.3+dfsg-5ubuntu9.2 (for Ubuntu), 1.0+ (for Ubuntu), 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u10, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u1, 1:8.0.4+dfsg-3, or 1:8.1.0+ds-6 (for Debian).

Vulnerability/
CVE-2016-1568

high

8.8

CWE

416

4/12/2015

8/4/2016

5/8/2024

CVE-2016-1568: Use After Free

First published: Fri Dec 04 2015(Updated: )

Last updated 24 July 2024

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
QEMU qemu	<=2.5.1.1
Redhat Openstack	=6.0
Redhat Openstack	=7.0
Redhat Openstack	=5.0
Redhat Virtualization	=3.0
Redhat Enterprise Linux	=7.0
Debian Debian Linux	=7.0
Debian Debian Linux	=8.0
All of
Any of
Redhat Openstack	=5.0
Redhat Virtualization	=3.0
Redhat Enterprise Linux	=7.0
debian/qemu		1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u7 1:9.0.2+ds-2 1:9.1.0+ds-3

Remedy

http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2016-1568?
CVE-2016-1568 is a use-after-free vulnerability in QEMU's IDE AHCI Emulation support.
How does CVE-2016-1568 affect QEMU?
CVE-2016-1568 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
What is the severity of CVE-2016-1568?
CVE-2016-1568 has a severity rating of high (7).
Which software versions are affected by CVE-2016-1568?
QEMU versions 2.0.0+dfsg-2ubuntu1.22, 1:2.3+dfsg-5ubuntu9.2, 1.0+, and Debian versions 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u10, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u1, 1:8.0.4+dfsg-3, 1:8.1.0+ds-6 are affected.
How do I fix CVE-2016-1568?
To fix CVE-2016-1568, update to QEMU version 2.0.0+dfsg-2ubuntu1.22 (for Ubuntu), 1:2.3+dfsg-5ubuntu9.2 (for Ubuntu), 1.0+ (for Ubuntu), 1:3.1+dfsg-8+deb10u8, 1:3.1+dfsg-8+deb10u10, 1:5.2+dfsg-11+deb11u2, 1:7.2+dfsg-7+deb12u1, 1:8.0.4+dfsg-3, or 1:8.1.0+ds-6 (for Debian).

collector/nvd-index
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2016-1568
agent/author
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/description
agent/severity
agent/remedy
agent/weakness
agent/references
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/tags
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/qemu
canonical/qemu qemu
version/qemu qemu/2.5.1.1
vendor/redhat
canonical/redhat openstack
version/redhat openstack/6.0
version/redhat openstack/7.0
version/redhat openstack/5.0
canonical/redhat virtualization
version/redhat virtualization/3.0
canonical/redhat enterprise linux
version/redhat enterprise linux/7.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/7.0
version/debian debian linux/8.0
package-manager/debian