CVE-2017-16845

Published: Nov 17, 2017Modified: May 13, 2026

10.0

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Exploitability: 3.9 / Impact: 5.8

Source: NVD

Description

hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.

Affected (7)

Products: Qemu: Qemu · Debian: Debian Linux · Canonical: Ubuntu Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Qemu Qemu	Up to 2.11.2

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 17.10
Canonical Ubuntu Linux	Version 18.04

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (12)

http://www.securityfocus.com/bid/101923

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html

Source: cve@mitre.org

Mailing ListPatchThird Party Advisory

https://usn.ubuntu.com/3575-1/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/3649-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2018/dsa-4213

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/101923