CVE-2017-8086

Published: May 2, 2017Modified: May 13, 2026

6.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Exploitability: 2.0 / Impact: 4.0

Source: NVD

Description

Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable.

Affected (6)

Products: Qemu: Qemu · Debian: Debian Linux

1 product

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Qemu Qemu	Up to 2.8.1
Qemu Qemu	Version 2.9.0 rc0
Qemu Qemu	Version 2.9.0 rc1
Qemu Qemu	Version 2.9.0 rc2
Qemu Qemu	Version 2.9.0 rc3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Related CWEs

CWE-772

Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

References (14)

http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=4ffcdef4277a91af15a3c09f7d16af072c29f3f2

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2017/04/25/5

Source: cve@mitre.org

Mailing ListPatchThird Party Advisory

http://www.securityfocus.com/bid/98012

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=1444781

Source: cve@mitre.org

Issue TrackingPatchThird Party AdvisoryVDB Entry

https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg01636.html

Source: cve@mitre.org

Mailing ListPatchThird Party Advisory

https://security.gentoo.org/glsa/201706-03

Source: cve@mitre.org

Third Party Advisory

http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=4ffcdef4277a91af15a3c09f7d16af072c29f3f2