CVE-2016-9381

Published: Jan 23, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 0.8 / Impact: 6.0

Source: NVD

Description

Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.

Affected (6)

Products: Qemu: Qemu · Citrix: Xenserver

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Qemu Qemu	Up to 2.7.1
Qemu Qemu	Version 2.8.0 rc0

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Citrix Xenserver	Version 6.0.2
Citrix Xenserver	Version 6.2.0
Citrix Xenserver	Version 6.5
Citrix Xenserver	Version 7.0

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (10)

http://www.securityfocus.com/bid/94476

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037344

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://xenbits.xen.org/xsa/advisory-197.html

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/201612-56

Source: cve@mitre.org

Third Party Advisory

https://support.citrix.com/article/CTX218775

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/94476