What is CVE-2016-9907?

CVE-2016-9907 is a medium-severity vulnerability in Qemu, classified under Missing Release of Resource after Effective Lifetime. CVSS score: 6.5/10. Published 2016-12-23.

How severe is CVE-2016-9907?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Qemu

CVE-2016-9907

Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to lea…

EPSS: 0.001 (26.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.

Affected products

Qemu
Debian Debian_linux — versions 8.0
Redhat Enterprise_linux — versions 7.0
Redhat Openstack — versions 6.0, 7.0, 8
Redhat Virtualization — versions 4.0
N/a — versions n/a

Weakness classification (CWE)

CWE-772 — Missing Release of Resource after Effective Lifetime

References

94759 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
RHSA-2017:2392 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
GLSA-201701-49 (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)
[oss-security] 20161208 Re: CVE request Qemu: usb: redirector: memory leakage when destroying (mailing-list, x_refsource_MLIST, Patch, Mailing List, Third Party Advisory)
RHSA-2017:2408 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)

Frequently asked questions

What is CVE-2016-9907?: CVE-2016-9907 is a medium-severity vulnerability in Qemu, classified under Missing Release of Resource after Effective Lifetime. CVSS score: 6.5/10. Published 2016-12-23.
How severe is CVE-2016-9907?: Medium severity. CVSS v3 base score is 6.5 out of 10.