Vulnerability Details : CVE-2016-7907
The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2016-7907
- cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.9.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.9.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.9.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.9.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.9.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:qemu:qemu:2.9.0:rc5:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-7907
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-7907
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
NIST | |
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
0.8
|
3.6
|
NIST |
CWE ids for CVE-2016-7907
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-7907
-
https://security.gentoo.org/glsa/201611-11
QEMU: Multiple vulnerabilities (GLSA 201611-11) — Gentoo securityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2016/10/03/1
oss-security - CVE request Qemu: net: inifinte loop in imx_fec_do_tx() functionMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/93274
QEMU 'hw/net/imx_fec.c' Infinite Loop Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
openSUSE-SU-2016:3237-1: moderate: Security update for qemuMailing List;Third Party Advisory
-
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
Re: [Qemu-devel] [PATCH v2] net: imx: limit buffer descriptor countMailing List;Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2016/10/03/4
oss-security - Re: CVE request Qemu: net: inifinte loop in imx_fec_do_tx() functionMailing List;Third Party Advisory
Jump to