CVE-2016-3712 : Integer overflow in the VGA module in QEMU allows local guest OS users to cause

Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.

Published 2016-05-11 21:59:02

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Products affected by CVE-2016-3712

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.6
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.7
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
Matching versions
Oracle » Vm Server » Version: 3.3 For X86
cpe:2.3:o:oracle:vm_server:3.3:*:*:*:*:*:x86:*
Matching versions
Oracle » Vm Server » Version: 3.4 For X86
cpe:2.3:o:oracle:vm_server:3.4:*:*:*:*:*:x86:*
Matching versions
Citrix » Xenserver
Versions up to, including, (<=) 7.0
cpe:2.3:a:citrix:xenserver:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 15.10
cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Qemu » Qemu
Versions up to, including, (<=) 2.5.1
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 2.6.0 Update RC0
cpe:2.3:a:qemu:qemu:2.6.0:rc0:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 2.6.0 Update RC1
cpe:2.3:a:qemu:qemu:2.6.0:rc1:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 2.6.0 Update RC2
cpe:2.3:a:qemu:qemu:2.6.0:rc2:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 2.6.0 Update RC3
cpe:2.3:a:qemu:qemu:2.6.0:rc3:*:*:*:*:*:*
Matching versions
Qemu » Qemu » Version: 2.6.0 Update RC4
cpe:2.3:a:qemu:qemu:2.6.0:rc4:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2016-3712

Top countries where our scanners detected CVE-2016-3712

Top open port discovered on systems with this issue 8200

IPs affected by CVE-2016-3712 15

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2016-3712!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-3712

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-3712

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:N/I:N/A:P	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2016-3712

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-3712

https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg01196.html

[Qemu-devel] [PULL 5/5] vga: make sure vga register setup for vbe stays
Mailing List;Patch;Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/05/09/4

oss-security - CVE-2016-3712 Qemu: vga: out-of-bounds read and integer overflow issues
Mailing List;Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0621.html

RHSA-2017:0621 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
http://support.citrix.com/article/CTX212736

Citrix XenServer Multiple Security Updates
Third Party Advisory

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2974-1

USN-2974-1: QEMU vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://xenbits.xen.org/xsa/advisory-179.html

XSA-179 - Xen Security Advisories
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/90314

QEMU VGA Module CVE-2016-3712 Multiple Denial of Service Vulnerabilities
Third Party Advisory;VDB Entry
http://www.securitytracker.com/id/1035794

Xen Qemu VGA Module Bugs Let Local Users on the Guest Deny Service on the Guest or Gain Elevated Privileges on the Host System - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Oracle VM Server for x86 Bulletin - July 2016
Third Party Advisory

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3573

Debian -- Security Information -- DSA-3573-1 qemu
Third Party Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-2585.html

RHSA-2016:2585 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url