DEBIAN-CVE-2016-4020

DEBIAN-CVE-2016-4020 PUBLISHED CVSS 6.5 MEDIUM

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:13	qemu	0, 0, 0
Debian:11	qemu	0, 0, 0
Debian:12	qemu	0, 0, 0
Debian:14	qemu	0, 0, 0

Timeline

May 25, 2016 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2016-4020 advisory

Open in Interactive Console →