CVE-2016-10028 Qemu CVE debrief

Who should care

QEMU maintainers, virtualization and cloud platform operators, desktop virtualization admins, and distro/security teams that ship QEMU with virtio-gpu 3D or virgl support enabled.

Technical summary

NVD describes an out-of-bounds read in virgl_cmd_get_capset in hw/display/virtio-gpu-3d.c. The issue is reachable from a guest through VIRTIO_GPU_CMD_GET_CAPSET when the maximum capabilities size is set to 0. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, matching a local guest-triggered availability impact. NVD maps the weakness to CWE-125 and lists vulnerable QEMU versions up to and including 2.8.1.1.

Defensive priority

Medium priority. Patch promptly on any host that exposes virtio-gpu 3D/virgl to untrusted or semi-trusted guests, because a guest can crash the QEMU process and disrupt service.

Recommended defensive actions

• Update QEMU to a vendor-fixed release or downstream package that includes the upstream fix referenced in the QEMU commit and mailing list advisories.
• If virtio-gpu 3D/virgl is not required, disable that device/emulation path to reduce exposure.
• Treat untrusted guest workloads as higher risk on hosts that provide virtual GPU acceleration.
• Verify deployed QEMU packages against the affected range noted by NVD (through version 2.8.1.1).
• Track vendor advisories and distro errata for backported fixes, since remediation may arrive outside the upstream version line.

Evidence notes

The supplied corpus shows the CVE was published by NVD on 2017-02-27 and later modified on 2026-05-13. NVD’s reference set includes an upstream QEMU commit, OSS-security patch postings dated 2016-12-20 and 2016-12-22, the QEMU-devel patch thread, and third-party advisories. NVD’s CPE criteria indicate affected QEMU versions through 2.8.1.1. This debrief avoids unsupported claims and is limited to the provided official and vendor-linked sources.

Official resources