CVE-2016-3710
qemu - security update
8.8
HIGH
CVSS 3.1
EPSS 0.17%
Description
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
How to fix CVE-2016-3710
To remediate CVE-2016-3710, upgrade the affected package to a fixed version below.
- Debian/qemu—upgrade to 1:2.6+dfsg-1 or later
- —upgrade to 1.1.2+dfsg-6a+deb7u13 or later
- —upgrade to 1:2.1+dfsg-12+deb8u6 or later
- —upgrade to 1.1.2+dfsg-6+deb7u13 or later
- —upgrade to 4.4.0-1 or later
Is CVE-2016-3710 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 1:2.6+dfsg-1
- from 0, < 1.1.2+dfsg-6a+deb7u13
- from 0, < 1:2.1+dfsg-12+deb8u6
- from 0, < 1.1.2+dfsg-6+deb7u13
- from 0, < 4.4.0-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |