CVE-2016-3710

high

Published 2016-05-11 · Modified 2026-05-06

CVSS v3

8.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2

7.2

VIR risk

8.8

Description

The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.

Predictions

Exploit likelihood

82%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-3710

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg01197.html

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164862

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-3710.html

OS impact

OS	Version	Status	Fixed in
sles		affected
ubuntu	12.04	affected
ubuntu	14.04	affected
ubuntu	15.10	affected
ubuntu	16.04	affected
debian	8.0	affected
rhel	6.0	affected
rhel	7.0	affected
debian	bookworm	fixed	`1:2.6+dfsg-1`
debian	bullseye	fixed	`1:2.6+dfsg-1`
debian	forky	fixed	`1:2.6+dfsg-1`
debian	sid	fixed	`1:2.6+dfsg-1`
debian	trixie	fixed	`1:2.6+dfsg-1`

Application impact

Vendor	Product	Versions
hp	helion_openstack	`2.0.0`
hp	helion_openstack	`2.1.0`
hp	helion_openstack	`2.1.2`
hp	helion_openstack	`2.1.4`
qemu	qemu	`{"endIncluding":"2.5.1"}`
qemu	qemu	`2.6.0`
oracle	vm_server	`3.2`
oracle	vm_server	`3.3`
oracle	vm_server	`3.4`
citrix	xenserver	`{"endIncluding":"7.0"}`
redhat	openstack	`5.0`
redhat	openstack	`6.0`
redhat	openstack	`7.0`
redhat	openstack	`8`
redhat	virtualization	`3.0`

References

CWEs

CWE-119

Verify integrity in audit chain (admin only). AS-IS.