OpenCVE

The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qemu	Qemu

Configuration 1 [-]

OR	cpe:2.3:a:qemu:qemu::::::::
	cpe:2.3:a:qemu:qemu:2.7.0:rc0::::::

No data.

References

Link	Providers
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=1e7aed70144b4673fc26e73062064b6724795e5f
http://www.openwall.com/lists/oss-security/2016/07/28/4
http://www.openwall.com/lists/oss-security/2016/07/28/9
https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html
https://nvd.nist.gov/vuln/detail/CVE-2016-6490
https://security.gentoo.org/glsa/201609-01
https://www.cve.org/CVERecord?id=CVE-2016-6490

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2016-12-10T00:00:00

Updated: 2024-08-06T01:29:20.254Z

Reserved: 2016-07-28T00:00:00

Link: CVE-2016-6490

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-12-10T00:59:01.760

Modified: 2024-11-21T02:56:13.223

Link: CVE-2016-6490

Redhat

Severity : Low

Publid Date: 2016-07-27T00:00:00Z

Links: CVE-2016-6490 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-26T00:00:00", "descriptions": [{"lang": "en", "value": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20160728 CVE Request Qemu: virtio: infinite loop in virtqueue_pop", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/4"}, {"name": "[oss-security] 20160728 Re: CVE Request Qemu: virtio: infinite loop in virtqueue_pop", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/9"}, {"name": "GLSA-201609-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201609-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=1e7aed70144b4673fc26e73062064b6724795e5f"}, {"name": "[qemu-devel] 20160726 [PATCH] virtio: check vring descriptor buffer length", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:29:20.254Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20160728 CVE Request Qemu: virtio: infinite loop in virtqueue_pop", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/4"}, {"name": "[oss-security] 20160728 Re: CVE Request Qemu: virtio: infinite loop in virtqueue_pop", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/9"}, {"name": "GLSA-201609-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201609-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=1e7aed70144b4673fc26e73062064b6724795e5f"}, {"name": "[qemu-devel] 20160726 [PATCH] virtio: check vring descriptor buffer length", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-6490", "datePublished": "2016-12-10T00:00:00", "dateReserved": "2016-07-28T00:00:00", "dateUpdated": "2024-08-06T01:29:20.254Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CF78B06-34D3-4BF8-883B-7B9643BBA7CE", "versionEndIncluding": "2.6.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:qemu:qemu:2.7.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "FA78F261-DEB3-46D5-9998-106F6210755E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer."}, {"lang": "es", "value": "La funci\u00f3n virtqueue_map_desc en hw/virtio/virtio.c en QEMU (tambi\u00e9n conocido como Quick Emulator) permite a administradores locales del SO invitado provocar una denegaci\u00f3n de servicio (bucle infinito y ca\u00edda del proceso QEMU) a trav\u00e9s de una longitud cero para el b\u00fafer descriptor."}], "id": "CVE-2016-6490", "lastModified": "2024-11-21T02:56:13.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-10T00:59:01.760", "references": [{"source": "secalert@redhat.com", "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=1e7aed70144b4673fc26e73062064b6724795e5f"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/4"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/9"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201609-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=1e7aed70144b4673fc26e73062064b6724795e5f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/07/28/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201609-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Li Qiang (360.cn Inc.) for reporting this issue.", "bugzilla": {"description": "Qemu: virtio: infinite loop in virtqueue_pop", "id": "1361427", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1361427"}, "csaw": false, "cvss": {"cvss_base_score": "2.3", "cvss_scoring_vector": "AV:A/AC:M/Au:S/C:N/I:N/A:P", "status": "draft"}, "cvss3": {"cvss3_base_score": "2.4", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-835", "details": ["The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer."], "name": "CVE-2016-6490", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kvm", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "xen", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-07-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-6490\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-6490"], "threat_severity": "Low"}