The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Qemu | Qemu | * | 2.6.2 (including) |
| Red Hat Enterprise Linux 7 | RedHat | qemu-kvm-10:1.5.3-141.el7 | * |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | RedHat | qemu-kvm-rhev-10:2.9.0-10.el7 | * |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | RedHat | qemu-kvm-rhev-10:2.9.0-10.el7 | * |
| Red Hat OpenStack Platform 10.0 (Newton) | RedHat | qemu-kvm-rhev-10:2.9.0-10.el7 | * |
| Red Hat OpenStack Platform 11.0 (Ocata) | RedHat | qemu-kvm-rhev-10:2.9.0-10.el7 | * |
| Red Hat OpenStack Platform 8.0 (Liberty) | RedHat | qemu-kvm-rhev-10:2.9.0-10.el7 | * |
| Red Hat OpenStack Platform 9.0 (Mitaka) | RedHat | qemu-kvm-rhev-10:2.9.0-10.el7 | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | qemu-kvm-rhev-10:2.9.0-14.el7 | * |
| Qemu | Ubuntu | trusty | * |
| Qemu | Ubuntu | upstream | * |
| Qemu | Ubuntu | wily | * |
| Qemu | Ubuntu | xenial | * |