CVE-2016-8909
First published: Mon Oct 24 2016(Updated: )
Quick Emulator(Qemu) built with the Intel HDA controller emulation support is vulnerable to an infinite loop issue. It could occur while processing the DMA buffer stream while doing data transfer in 'intel_hda_xfer'. A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS. Upstream patch -------------- -> <a href="https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04717.html">https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04717.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QEMU KVM | <=2.7.1 | |
| Debian GNU/Linux | =8.0 | |
| openSUSE | =42.2 | |
| redhat openstack | =6.0 | |
| redhat openstack | =7.0 | |
| redhat openstack | =8 | |
| redhat openstack | =9 | |
| redhat openstack | =10 | |
| redhat openstack | =11 | |
| Red Hat Enterprise Virtualization | =4.0 | |
| Red Hat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
- http://www.openwall.com/lists/oss-security/2016/10/24/1
- http://www.openwall.com/lists/oss-security/2016/10/24/4
- http://www.securityfocus.com/bid/93842
- https://access.redhat.com/errata/RHSA-2017:2392
- https://access.redhat.com/errata/RHSA-2017:2408
- https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
- https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04682.html
- https://security.gentoo.org/glsa/201611-11
- https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04717.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1388053
- https://bugzilla.redhat.com/show_bug.cgi?id=1388052
Frequently Asked Questions
What is the severity of CVE-2016-8909?
CVE-2016-8909 is classified as a medium severity vulnerability.
How do I fix CVE-2016-8909?
To fix CVE-2016-8909, upgrade QEMU to version 2.8 or later, which includes the necessary patches.
Who is affected by CVE-2016-8909?
CVE-2016-8909 affects users of QEMU versions up to 2.7.1 that utilize the Intel HDA controller emulation.
What impact does CVE-2016-8909 have on affected systems?
CVE-2016-8909 can lead to excessive CPU usage by allowing a malicious privileged user in the guest system to trigger an infinite loop.
Is CVE-2016-8909 exploitable remotely?
CVE-2016-8909 is not remotely exploitable as it requires a privileged user to exploit the vulnerability within the guest.
- agent/type
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-8909
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/qemu
- canonical/qemu kvm
- version/qemu kvm/2.7.1
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/42.2
- vendor/redhat
- canonical/redhat openstack
- version/redhat openstack/6.0
- version/redhat openstack/7.0
- version/redhat openstack/8
- version/redhat openstack/9
- version/redhat openstack/10
- version/redhat openstack/11
- canonical/red hat enterprise virtualization
- version/red hat enterprise virtualization/4.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0