MidnightBSD

Advisories for xen

CVE-2011-2901 MEDIUM

Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 3.2.0
xen xen 3.2.3
xen xen *
xen xen 3.1.3
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.2.2
xen xen 3.0.2
xen xen 3.0.4
CVE-2011-3346 MEDIUM

Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
qemu qemu 0.15.0
xen xen -
redhat enterprise_linux 5
qemu qemu *
CVE-2012-0217 HIGH

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.0.1
microsoft windows_server_2008 r2
microsoft windows_7 *
joyent smartos *
xen xen 4.0.4
illumos illumos *
sun sunos *
freebsd freebsd *
citrix xenserver 6.0
xen xen 4.0.0
xen xen 4.1.1
microsoft windows_xp *
xen xen *
netbsd netbsd *
citrix xenserver *
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
microsoft windows_server_2003 *
CVE-2012-3515 HIGH

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat virtualization 5.0
opensuse opensuse 11.4
canonical ubuntu_linux 12.04
suse linux_enterprise_server 10
redhat enterprise_linux_workstation 5.0
redhat enterprise_linux_server 5.0
qemu qemu *
suse linux_enterprise_desktop 10
redhat enterprise_linux_workstation 6.0
suse linux_enterprise_server 11
redhat virtualization 6.0
xen xen 4.1.0
opensuse opensuse 12.1
suse linux_enterprise_software_development_kit 11
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
opensuse opensuse 12.2
debian debian_linux 6.0
suse linux_enterprise_desktop 11
redhat enterprise_linux_desktop 5.0
redhat enterprise_linux_eus 6.3
canonical ubuntu_linux 11.04
xen xen 4.0.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_server 6.0
redhat virtualization 3.0
canonical ubuntu_linux 11.10
suse linux_enterprise_software_development_kit 10
CVE-2012-4411 MEDIUM

The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor. NOTE: this might be a duplicate of CVE-2007-0998.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-5513 MEDIUM

The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.1.1
xen xen *
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 3.0.2
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.0.4
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.1.2
CVE-2012-6030 HIGH

The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6031 MEDIUM

The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6032 MEDIUM

Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6033 MEDIUM

The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6034 MEDIUM

The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6035 MEDIUM

The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6036 MEDIUM

The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.0.0
CVE-2012-6333 MEDIUM

Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.0.1
xen xen 4.0.4
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.2.0
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
CVE-2013-0151 MEDIUM

The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x86_32 platform does not prevent HVM_PARAM_NESTEDHVM (aka nested virtualization) operations, which allows guest OS users to cause a denial of service (long-duration page mappings and host OS crash) by leveraging administrative access to an HVM guest in a domain with a large number of VCPUs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.0
CVE-2013-0152 MEDIUM

Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.2.0
CVE-2013-0153 MEDIUM

The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.1.1
xen xen 4.1.4
xen xen 4.2.1
xen xen 4.1.3
xen xen 3.3.0
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.1.2
CVE-2013-0154 LOW

The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.2.0
CVE-2013-0215 MEDIUM

oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly consider the state of the Xenstore ring during read operations, which allows guest OS users to cause a denial of service (daemon crash and host-control outage, or memory consumption) or obtain sensitive control-plane data by leveraging guest administrative access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.1
xen xen 4.1.4
xen xen 4.2.1
xen xen 4.1.3
xen xen 4.1.0
xen xen 4.2.0
xen xen 4.1.2
CVE-2013-0231 MEDIUM

The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 3.2.0
linux linux_kernel 2.6.18
xen xen 3.2.3
xen xen 3.1.3
xen xen 3.1.4
linux linux_kernel 3.8
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.2.2
xen xen 3.0.2
xen xen 3.0.4
CVE-2013-1432 HIGH

Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possibly gain privileges via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.1
xen xen 4.1.4
xen xen 4.2.1
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.1.0
xen xen 4.2.2
xen xen 4.2.0
xen xen 4.1.2
CVE-2013-1442 LOW

Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.2.3
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-1917 LOW

Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 3.1.4
xen xen 3.2.1
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2013-1918 MEDIUM

Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.1.1
xen xen 4.1.4
xen xen 4.2.1
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.1.0
xen xen 4.2.2
xen xen 4.2.0
xen xen 4.1.2
CVE-2013-1919 MEDIUM

Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.1
xen xen 4.1.4
xen xen 4.2.1
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.1.0
xen xen 4.2.2
xen xen 4.2.0
xen xen 4.1.2
CVE-2013-1920 MEDIUM

Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 3.0.2
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.0.4
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.1.2
CVE-2013-1922 LOW

qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.2
xen xen 4.2.0
CVE-2013-1952 LOW

Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-1964 MEDIUM

Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest administrators to cause a denial of service (host crash), obtain sensitive information, or possibly have other impacts via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.1
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.2
xen xen 4.0.0
CVE-2013-2072 HIGH

Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 7.0
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-2076 MEDIUM

Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of the state of floating point instructions of other domains, which can be leveraged to obtain sensitive information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-2077 MEDIUM

Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-2078 MEDIUM

Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users to cause a denial of service (hypervisor crash) via certain bit combinations to the XSETBV instruction.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-2194 MEDIUM

Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen *
xen xen 4.2.0
CVE-2013-2195 MEDIUM

The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "pointer dereferences" involving unexpected calculations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen *
xen xen 4.2.0
CVE-2013-2196 MEDIUM

Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen *
xen xen 4.2.0
CVE-2013-2211 HIGH

The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-2212 MEDIUM

The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 3.3.1
xen xen 4.0.4
xen xen 3.4.0
xen xen 4.1.5
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-3495 MEDIUM

The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x allows local guests to cause a denial of service (kernel panic) via a malformed Message Signaled Interrupt (MSI) from a PCI device that is bus mastering capable that triggers a System Error Reporting (SERR) Non-Maskable Interrupt (NMI).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
opensuse opensuse 13.1
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2013-4329 MEDIUM

The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.2.3
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-4355 LOW

Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen *
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 3.0.2
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.0.4
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2013-4356 MEDIUM

Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when live migration is performed on hosts with more than 5TB of RAM, which allows local 64-bit PV guests to read or write to invalid memory and cause a denial of service (crash).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.3.0
CVE-2013-4361 LOW

The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 3.3.1
xen xen 4.0.4
xen xen 3.4.0
xen xen 4.1.5
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.2
CVE-2013-4368 LOW

The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen *
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 3.0.2
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.0.4
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2013-4369 LOW

The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL pointer dereference) by using the "@" character as the VIF rate configuration.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2013-4370 MEDIUM

The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2013-4371 MEDIUM

Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2013-4375 LOW

The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.2.3
qemu qemu 1.1
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2013-4416 MEDIUM

The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, and 4.3.x allows local guest domains to cause a denial of service (domain shutdown) via a large message reply.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2013-4494 MEDIUM

Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 7.0
xen xen *
CVE-2013-4551 MEDIUM

Xen 4.2.x and 4.3.x, when nested virtualization is disabled, does not properly check the emulation paths for (1) VMLAUNCH and (2) VMRESUME, which allows local HVM guest users to cause a denial of service (host crash) via unspecified vectors related to "guest VMX instruction execution."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2013-4553 MEDIUM

The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 3.4.0
xen xen 4.1.5
xen xen 3.4.4
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 3.4.2
xen xen 4.3.1
xen xen 3.4.3
xen xen 4.2.3
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2013-4554 MEDIUM

Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.0.4
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2013-6375 HIGH

Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an "inverted boolean parameter."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.0
opensuse opensuse 13.1
xen xen 4.2.2
CVE-2013-6400 MEDIUM

Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-1642 MEDIUM

The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-1666 HIGH

The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.3.1
xen xen 4.1.5
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
CVE-2014-1891 MEDIUM

Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3) FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations in the flask hypercall in Xen 4.3.x, 4.2.x, 4.1.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1892, CVE-2014-1893, and CVE-2014-1894.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen *
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.1.6.1
xen xen 3.3.1
xen xen 4.1.5
xen xen 3.2.1
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2014-1892 MEDIUM

Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory allocation," a different vulnerability than CVE-2014-1891, CVE-2014-1893, and CVE-2014-1894.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 3.3.1
xen xen 4.0.4
xen xen 3.4.0
xen xen 4.1.5
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.0.0
xen xen 4.1.1
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-1893 MEDIUM

Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1894.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.1.1
xen xen *
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.2.1
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.1.2
CVE-2014-1894 MEDIUM

Multiple integer overflows in unspecified suboperations in the flask hypercall in Xen 3.2.x and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1893.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 3.2.0
xen xen *
xen xen 3.1.3
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
xen xen 3.2.2
xen xen 3.0.2
xen xen 3.0.4
CVE-2014-1895 MEDIUM

Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-1896 MEDIUM

The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause a denial of service or possibly gain privileges via crafted xenstore ring indexes, which triggers a "read or write past the end of the ring."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-1950 MEDIUM

Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-2580 MEDIUM

The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen -
CVE-2014-2599 MEDIUM

The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service domains for HVM guests and a large input.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-2915 MEDIUM

Xen 4.4.x, when running on ARM systems, does not properly restrict access to hardware features, which allows local guest users to cause a denial of service (host or guest crash) via unspecified vectors, related to (1) cache control, (2) coprocessors, (3) debug registers, and (4) other unspecified registers.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-2986 MEDIUM

The vgic_distr_mmio_write function in the virtual guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, when running on an ARM system, allows local guest users to cause a denial of service (NULL pointer dereference and host crash) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-3124 MEDIUM

The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-3125 MEDIUM

Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest users to modify the hardware timers and cause a denial of service (crash) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-3672 LOW

The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr.

CVSS 2.0

Severity: LOW

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen *
redhat libvirt *
CVE-2014-3714 LOW

The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit ARM guest kernel in an image, which triggers a buffer overflow.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-3715 LOW

Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit guest kernel, related to searching for an appended DTB.

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-3716 LOW

Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-3717 LOW

Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory or cause a denial of service (crash) via a crafted kernel, which triggers a buffer overflow.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-3967 MEDIUM

The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xen xen 4.2.1
opensuse opensuse 12.3
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
opensuse opensuse 13.1
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-3968 MEDIUM

The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.2.1
opensuse opensuse 12.3
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
opensuse opensuse 13.1
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-3969 HIGH

Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-4021 LOW

Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 3.2.3
xen xen 4.1.5
xen xen 3.2.1
xen xen 4.2.0
xen xen 4.0.0
xen xen 3.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 3.2.2
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-4022 LOW

The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize the structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-5146 MEDIUM

Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (HAP), are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5149.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
opensuse opensuse 13.1
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-5147 MEDIUM

Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a different address width, which allows local guest users to cause a denial of service (host crash) via a crafted 32-bit process.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.4.0
CVE-2014-5148 MEDIUM

Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen 4.4.1
xen xen 4.4.0
CVE-2014-5149 MEDIUM

Certain MMU virtualization operations in Xen 4.2.x through 4.4.x, when using shadow pagetables, are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5146.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
opensuse opensuse 13.1
xen xen 4.2.2
xen xen 4.2.0
CVE-2014-6268 MEDIUM

The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.4.1
xen xen 4.4.0
CVE-2014-7154 MEDIUM

Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 7.0
xen xen 4.1.4
opensuse opensuse 12.3
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.4.1
opensuse opensuse 13.1
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
fedoraproject fedora 20
xen xen 4.3.1
fedoraproject fedora 19
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-7155 MEDIUM

The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
fedoraproject fedora 19
xen xen *
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 3.0.2
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
debian debian_linux 7.0
xen xen 4.0.1
opensuse opensuse 12.3
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.1.4
xen xen 3.0.3
xen xen 3.2.1
opensuse opensuse 13.1
xen xen 3.0.4
xen xen 4.0.0
xen xen 3.2.0
fedoraproject fedora 20
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2014-7156 LOW

The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.3.1
xen xen 4.1.5
xen xen 4.4.1
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-7188 HIGH

The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.4.1
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-8594 MEDIUM

The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 7.0
opensuse opensuse 13.2
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
opensuse opensuse 13.1
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2014-8595 LOW

arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction.

CVSS 2.0

Severity: LOW

Problem Type: CWE-17,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
debian debian_linux 7.0
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.2.1
opensuse opensuse 13.1
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2014-8866 MEDIUM

The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
debian debian_linux 7.0
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
opensuse opensuse 13.1
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2014-8867 MEDIUM

The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
debian debian_linux 7.0
opensuse opensuse 13.2
redhat enterprise_linux 5.0
xen xen 3.2.3
xen xen *
xen xen 4.4.1
xen xen 3.2.1
xen xen 3.2.2
xen xen 4.4.0
opensuse opensuse 13.1
redhat enterprise_linux_desktop 5.0
CVE-2014-9030 HIGH

The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
debian debian_linux 7.0
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.2.1
opensuse opensuse 13.1
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2014-9065 MEDIUM

common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen *
opensuse opensuse 13.1
CVE-2014-9066 MEDIUM

Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen *
opensuse opensuse 13.1
CVE-2015-0268 MEDIUM

The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running on ARM hardware with general interrupt controller (GIC) version 2, allows local guest users to cause a denial of service (host crash) by writing an invalid value to the GICD.SGIR register.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.5.0
CVE-2015-0361 HIGH

Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
xen xen 4.4.1
xen xen 4.2.5
opensuse opensuse 13.1
xen xen 4.3.2
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
CVE-2015-0777 LOW

drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 3.4.2
xen xen 3.4.0
xen xen 3.4.3
xen xen 3.4.4
xen xen 3.4.1
CVE-2015-1563 LOW

The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.0.1
xen xen 4.1.3
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.0
xen xen 4.0.0
xen xen 4.1.1
xen xen 4.2.1
fedoraproject fedora 21
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.0.2
xen xen 4.2.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2015-2044 LOW

The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.2.1
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-2045 LOW

The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
fedoraproject fedora 22
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
debian debian_linux 7.0
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.2.1
xen xen 4.0.0
xen xen 3.2.0
fedoraproject fedora 20
fedoraproject fedora 21
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-2150 MEDIUM

Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
ubuntu ubuntu 12.04
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.0.0
linux linux_kernel *
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-2151 HIGH

The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
fedoraproject fedora 22
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
debian debian_linux 7.0
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.2.1
xen xen 4.0.0
xen xen 3.2.0
fedoraproject fedora 20
fedoraproject fedora 21
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-2152 LOW

Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
fedoraproject fedora 20
fedoraproject fedora 21
xen xen *
fedoraproject fedora 22
CVE-2015-2751 HIGH

Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-17,

Products Affected

Vendor Product Version
fedoraproject fedora 20
fedoraproject fedora 21
xen xen 4.3.1
xen xen 4.4.1
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.5.0
xen xen 4.3.2
CVE-2015-2752 MEDIUM

The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptible, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
fedoraproject fedora 20
fedoraproject fedora 21
xen xen 4.3.1
xen xen 4.4.1
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.5.0
xen xen 4.3.2
CVE-2015-2756 MEDIUM

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
debian debian_linux 7.0
canonical ubuntu_linux 12.04
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.3.2
fedoraproject fedora 20
fedoraproject fedora 21
xen xen 4.3.1
debian debian_linux 8.0
canonical ubuntu_linux 15.04
canonical ubuntu_linux 14.10
xen xen 4.4.0
xen xen 4.3.0
canonical ubuntu_linux 14.04
CVE-2015-3259 MEDIUM

Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.1.5
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.4.2
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.4
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2015-3340 LOW

Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
suse linux_enterprise_desktop 12
xen xen 4.4.1
suse linux_enterprise_software_development_kit 12
xen xen 4.5.0
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
fedoraproject fedora 22
debian debian_linux 7.0
suse suse_linux_enterprise_software_development_kit 11.0
xen xen 4.2.5
opensuse opensuse 13.1
suse suse_linux_enterprise_server 11.0
xen xen 4.3.2
suse suse_linux_enterprise_desktop 11.0
suse suse_linux_enterprise_server 12
fedoraproject fedora 20
fedoraproject fedora 21
xen xen 4.4.2
debian debian_linux 8.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
CVE-2015-3456 HIGH

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat openstack 4.0
redhat enterprise_linux 6.0
redhat openstack 5.0
redhat openstack 6.0
redhat enterprise_linux 7.0
xen xen 4.5.0
redhat enterprise_linux 5
redhat openstack 7.0
qemu qemu *
redhat enterprise_virtualization 3.0
CVE-2015-4103 MEDIUM

Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.3.2
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-4104 HIGH

Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-4105 MEDIUM

Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-4163 MEDIUM

GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.4.1
xen xen 4.2.3
xen xen 4.3.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.5.0
xen xen 4.2.2
xen xen 4.2.0
CVE-2015-4164 MEDIUM

The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.1.5
xen xen 3.1.4
xen xen 3.2.1
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-5154 HIGH

Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
suse linux_enterprise_desktop 12
xen xen 4.5.1
suse linux_enterprise_debuginfo 11
suse linux_enterprise_software_development_kit 12
suse linux_enterprise_desktop 11
qemu qemu *
suse suse_linux_enterprise_server 12
fedoraproject fedora 21
xen xen *
fedoraproject fedora 23
suse linux_enterprise_server 11
fedoraproject fedora 22
suse linux_enterprise_software_development_kit 11
CVE-2015-5165 HIGH

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-908,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus_from_rhui 6.7
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
redhat enterprise_linux_compute_node_eus 7.6
suse linux_enterprise_server 10
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_compute_node_eus 7.5
oracle linux 7
redhat enterprise_linux_for_power_big_endian 7.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.2
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7
redhat enterprise_linux_server_tus 7.6
xen xen *
suse linux_enterprise_server 11
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 22
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
redhat enterprise_linux_for_power_big_endian_eus 7.3_ppc64
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_for_power_big_endian_eus 7.4_ppc64
redhat enterprise_linux_server_eus 7.6
arista eos 4.13
arista eos 4.12
redhat enterprise_linux_compute_node_eus 7.7
arista eos 4.15
redhat enterprise_linux_eus_compute_node 6.7
redhat enterprise_linux_server_eus 7.5
fedoraproject fedora 21
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_compute_node_eus 7.4
redhat virtualization 3.0
redhat openstack 6.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_for_power_big_endian_eus 7.2_ppc64
redhat enterprise_linux_for_power_big_endian_eus 6.7_ppc64
redhat enterprise_linux_eus 6.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_from_rhui 6.0
redhat enterprise_linux_for_scientific_computing 6.0
arista eos 4.14
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.2
redhat enterprise_linux_for_power_big_endian_eus 7.6_ppc64
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_for_power_big_endian_eus 7.1_ppc64
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_from_rhui 7.0
redhat enterprise_linux_server_tus 7.7
xen xen 4.5.1
suse linux_enterprise_debuginfo 11
redhat enterprise_linux_compute_node_eus 7.3
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
redhat enterprise_linux_server_update_services_for_sap_solutions 7.3
redhat enterprise_linux_compute_node_eus 7.1
redhat enterprise_linux_for_power_big_endian_eus 7.7_ppc64
redhat enterprise_linux_compute_node_eus 7.2
redhat enterprise_linux_for_power_big_endian 6.0
debian debian_linux 8.0
redhat enterprise_linux_server 6.0
redhat openstack 5.0
redhat enterprise_linux_for_power_big_endian_eus 7.5_ppc64
CVE-2015-5166 HIGH

Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
fedoraproject fedora 21
xen xen 4.5.1
xen xen *
fedoraproject fedora 22
CVE-2015-5307 MEDIUM

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
xen xen 4.4.1
xen xen 4.6.6
xen xen 4.5.0
xen xen 4.3.1
xen xen 4.3.4
xen xen 4.6.1
canonical ubuntu_linux 14.04
debian debian_linux 7.0
xen xen 4.5.1
canonical ubuntu_linux 15.10
xen xen 4.4.3
xen xen 4.3.2
oracle vm_virtualbox *
xen xen 4.6.3
xen xen 4.6.5
linux linux_kernel *
xen xen 4.6.2
xen xen 4.4.2
xen xen 4.6.4
debian debian_linux 8.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.5.5
CVE-2015-6654 LOW

The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.5.1
xen xen 4.4.0
xen xen 4.5.0
CVE-2015-6815 LOW

The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.1 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
redhat enterprise_linux 7.0
qemu qemu *
arista eos 4.14
novell suse_linux_enterprise_desktop 12.0
novell suse_linux_enterprise_server 12.0
redhat enterprise_linux 6.0
fedoraproject fedora 22
canonical ubuntu_linux 14.04
redhat enterprise_linux 5.0
xen xen 4.5.1
arista eos 4.13
arista eos 4.12
xen xen 4.4.3
redhat openstack 7.0
novell suse_linux_enterprise_software_development_kit 11.0
arista eos 4.15
fedoraproject fedora 21
novell suse_linux_enterprise_software_development_kit 12.0
novell suse_linux_enterprise_desktop 11.0
novell suse_linux_enterprise_server 11.0
canonical ubuntu_linux 15.04
fedoraproject fedora 23
redhat openstack 5.0
redhat openstack 6.0
novell suse_linux_enterprise_debuginfo 11.0
CVE-2015-7311 LOW

libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image.

CVSS 2.0

Severity: LOW

Problem Type: CWE-17,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.4.1
xen xen 4.2.5
xen xen 4.5.0
xen xen 4.3.2
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.2.3
xen xen 4.3.4
xen xen 4.4.0
xen xen 4.1.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.6.1
xen xen 4.1.2
CVE-2015-7504 MEDIUM

Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 7.0
qemu qemu 2.5.0
xen xen *
debian debian_linux 8.0
qemu qemu *
CVE-2015-7812 MEDIUM

The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a denial of service (host crash) via a preemptible hypercall to the multicall interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
xen xen 4.4.2
xen xen 4.5.1
xen xen 4.4.1
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.4.0
xen xen 4.5.0
xen xen 4.4.3
CVE-2015-7813 LOW

Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which allows local guests to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op hypercalls, which are not properly handled in the do_physdev_op function in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not properly handled in the do_hvm_op function in arch/arm/hvm.c.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.5.1
xen xen 4.4.1
xen xen 4.6.0
xen xen 4.4.0
xen xen 4.5.0
CVE-2015-7814 MEDIUM

Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6.x and earlier allows local domains with partial management control to cause a denial of service (host crash) via vectors involving the destruction of a domain and using XENMEM_decrease_reservation to reduce the memory of the domain.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-362,

Products Affected

Vendor Product Version
xen xen *
CVE-2015-7835 HIGH

The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-7969 MEDIUM

Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.3.2
xen xen 4.0.0
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-7970 MEDIUM

The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 3.4.2
xen xen 3.4.0
xen xen 3.4.3
xen xen 3.4.4
xen xen 3.4.1
CVE-2015-7971 LOW

Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c.

CVSS 2.0

Severity: LOW

Problem Type: CWE-19,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 3.2.1
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-7972 LOW

The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure."

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.4.2
xen xen 3.4.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-8104 MEDIUM

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
xen xen 4.4.1
oracle solaris 11.3
xen xen 4.5.0
xen xen 4.3.1
xen xen 4.3.4
xen xen 4.6.1
canonical ubuntu_linux 14.04
debian debian_linux 7.0
xen xen 4.5.1
debian debian_linux 9.0
xen xen 4.4.3
xen xen 4.3.2
oracle vm_virtualbox *
xen xen 4.6.5
linux linux_kernel *
xen xen 4.6.2
xen xen 4.4.2
xen xen 4.6.4
debian debian_linux 8.0
canonical ubuntu_linux 15.04
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
CVE-2015-8338 HIGH

Xen 4.6.x and earlier does not properly enforce limits on page order inputs for the (1) XENMEM_increase_reservation, (2) XENMEM_populate_physmap, (3) XENMEM_exchange, and possibly other HYPERVISOR_memory_op suboperations, which allows ARM guest OS administrators to cause a denial of service (CPU consumption, guest reboot, or watchdog timeout and host reboot) and possibly have unspecified other impact via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-254,

Products Affected

Vendor Product Version
xen xen *
CVE-2015-8339 MEDIUM

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-19,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 3.2.1
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 4.1.6
xen xen 4.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-8340 MEDIUM

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 3.2.1
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 4.1.6
xen xen 4.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-8341 HIGH

The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 4.1.0
xen xen 4.1.6.1
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.1.6
xen xen 4.4.2
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-8550 MEDIUM

Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
novell suse_linux_enterprise_real_time_extension 12
xen xen -
CVE-2015-8552 LOW

The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks."

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.4
canonical ubuntu_linux 12.04
xen xen 4.1.3
xen xen 3.2.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 3.3.2
xen xen 4.2.4
xen xen 4.2.0
novell suse_linux_enterprise_debuginfo 11
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.2.2
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
debian debian_linux 6.0
xen xen 4.1.5
xen xen 3.1.4
xen xen 4.2.5
novell suse_linux_enterprise_real_time_extension 11
xen xen 3.2.1
xen xen 4.3.2
xen xen 4.0.0
xen xen 3.2.0
xen xen 3.4.2
xen xen 4.1.6
novell suse_linux_enterprise_real_time_extension 12
xen xen 3.1.3
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.2.3
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2015-8553 LOW

Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen -
redhat enterprise_linux 5
CVE-2015-8554 MEDIUM

Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a "write path."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
CVE-2015-8555 MEDIUM

Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.5.1
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.4.3
xen xen 4.3.2
citrix xenserver 6.0
xen xen 4.4.2
xen xen 4.3.1
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.3.4
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.6.1
CVE-2015-8615 LOW

The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ).

CVSS 2.0

Severity: LOW

Problem Type: CWE-254,

Products Affected

Vendor Product Version
xen xen 4.6.0
CVE-2016-10013 MEDIUM

Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen *
CVE-2016-10024 MEDIUM

Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.0
citrix xenserver 6.5
CVE-2016-10025 LOW

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check.

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.7.1
citrix xenserver 6.0.2
xen xen 4.6.4
citrix xenserver 6.2.0
xen xen 4.8.0
xen xen 4.6.0
citrix xenserver 7.0
xen xen 4.6.1
citrix xenserver 6.5
CVE-2016-1570 MEDIUM

The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.1.6.1
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.1.6
xen xen 4.4.2
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2016-1571 MEDIUM

The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.1.6.1
xen xen 3.3.1
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.3.2
xen xen 3.4.2
xen xen 4.1.6
xen xen 4.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.5.2
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
citrix xenserver *
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2016-2270 MEDIUM

Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 7.0
xen xen *
debian debian_linux 8.0
fedoraproject fedora 23
oracle vm_server 3.4
fedoraproject fedora 22
CVE-2016-2271 LOW

VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xen xen 4.6.0
xen xen 4.6.1
CVE-2016-3157 HIGH

The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
xen xen 4.0.0
CVE-2016-3158 LOW

The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,CWE-284,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 23
oracle vm_server 3.4
oracle vm_server 3.3
fedoraproject fedora 22
CVE-2016-3159 LOW

The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,CWE-284,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 8.0
fedoraproject fedora 23
oracle vm_server 3.4
oracle vm_server 3.3
fedoraproject fedora 22
CVE-2016-3960 HIGH

Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 24
fedoraproject fedora 23
xen xen -
oracle vm_server 3.4
oracle vm_server 3.3
fedoraproject fedora 22
oracle vm_server 3.2
CVE-2016-3961 LOW

Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
xen xen *
canonical ubuntu_linux 15.10
canonical ubuntu_linux 14.04
CVE-2016-4480 HIGH

The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen *
oracle vm_server 3.4
oracle vm_server 3.3
oracle vm_server 3.2
CVE-2016-4962 MEDIUM

The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.5.1
xen xen 4.4.1
oracle vm_server 3.4
xen xen 4.5.0
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.4.2
xen xen 4.3.1
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.3.4
xen xen 4.4.4
xen xen 4.4.0
oracle vm_server 3.3
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.6.1
CVE-2016-4963 LOW

The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore.

CVSS 2.0

Severity: LOW

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 4.1.0
xen xen 4.6.1
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.0.0
xen xen 4.1.6
xen xen 4.4.2
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.2.2
xen xen 4.1.2
CVE-2016-5242 MEDIUM

The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (NULL pointer dereference and host OS crash) by creating concurrent domains and holding references to them, related to VMID exhaustion.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xen xen 4.4.2
xen xen 4.5.1
xen xen 4.4.1
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.5.0
xen xen 4.6.1
xen xen 4.4.3
CVE-2016-6258 HIGH

The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
citrix xenserver 6.0
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
citrix xenserver 6.0.2
citrix xenserver 6.1
xen xen 4.3.1
citrix xenserver 6.2.0
citrix xenserver 7.0
xen xen 4.1.0
xen xen 4.6.1
xen xen 4.0.3
xen xen 4.0.1
xen xen 4.0.4
xen xen 4.1.5
citrix xenserver 6.5.0
xen xen 4.0.0
xen xen 4.7.0
xen xen 4.6.3
xen xen 3.4.2
xen xen 3.4.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.2.2
xen xen 4.1.2
CVE-2016-6259 MEDIUM

Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.5.1
xen xen 4.5.0
citrix xenserver 6.5.0
citrix xenserver 6.0
xen xen 4.7.0
xen xen 4.6.3
citrix xenserver 6.0.2
citrix xenserver 6.1
citrix xenserver 6.2.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
citrix xenserver 7.0
xen xen 4.6.1
CVE-2016-7092 MEDIUM

The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen -
CVE-2016-7093 HIGH

Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.5.3
CVE-2016-7094 LOW

Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update.

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
CVE-2016-7154 HIGH

Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
xen xen 4.4.2
xen xen 4.4.1
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.4.3
CVE-2016-7777 LOW

Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it.

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen *
CVE-2016-9377 LOW

Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation.

CVSS 2.0

Severity: LOW

Problem Type: CWE-682,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.7.1
xen xen 4.6.4
xen xen 4.5.1
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.5.0
xen xen 4.5.5
xen xen 4.6.1
CVE-2016-9378 LOW

Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery.

CVSS 2.0

Severity: LOW

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.7.1
xen xen 4.6.4
xen xen 4.5.1
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.5.0
xen xen 4.5.5
xen xen 4.6.1
CVE-2016-9379 MEDIUM

The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.0
citrix xenserver 6.5
CVE-2016-9380 MEDIUM

The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.0
citrix xenserver 6.5
CVE-2016-9382 MEDIUM

Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
citrix xenserver 6.0.2
xen xen 4.3.1
citrix xenserver 6.2.0
citrix xenserver 7.0
xen xen 4.3.4
xen xen 4.1.0
xen xen 4.6.1
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
citrix xenserver 6.5
xen xen 4.0.1
xen xen 4.7.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.0.0
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.4.2
xen xen 4.6.4
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.5.5
xen xen 4.2.2
xen xen 4.1.2
CVE-2016-9383 HIGH

Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.0
citrix xenserver 6.5
CVE-2016-9384 LOW

Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.7.1
CVE-2016-9385 MEDIUM

The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.7.1
xen xen 4.5.1
xen xen 4.4.1
xen xen 4.5.0
xen xen 4.4.3
xen xen 4.7.0
xen xen 4.6.3
citrix xenserver 6.0.2
xen xen 4.4.2
xen xen 4.6.4
citrix xenserver 6.2.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
citrix xenserver 7.0
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.5.5
xen xen 4.6.1
citrix xenserver 6.5
CVE-2016-9386 MEDIUM

The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.0
citrix xenserver 6.5
CVE-2016-9815 MEDIUM

Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.7.1
CVE-2016-9816 MEDIUM

Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.7.1
CVE-2016-9817 MEDIUM

Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.7.1
CVE-2016-9818 MEDIUM

Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
xen xen 4.7.0
xen xen 4.7.1
CVE-2016-9932 LOW

CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.3.1
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.1.0
xen xen 4.0.2
xen xen 4.0.3
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.3.2
xen xen 4.0.0
xen xen 4.7.0
xen xen 4.6.3
xen xen 3.4.2
xen xen 4.1.6
xen xen 4.4.2
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
xen xen 4.5.5
xen xen 4.2.2
xen xen 4.1.2
CVE-2017-10912 HIGH

Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10913 HIGH

The grant-table feature in Xen through 4.8.x provides false mapping information in certain cases of concurrent unmap calls, which allows backend attackers to obtain sensitive information or gain privileges, aka XSA-218 bug 1.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10914 MEDIUM

The grant-table feature in Xen through 4.8.x has a race condition leading to a double free, which allows guest OS users to cause a denial of service (memory consumption), or possibly obtain sensitive information or gain privileges, aka XSA-218 bug 2.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-415,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10915 MEDIUM

The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10916 MEDIUM

The vCPU context-switch implementation in Xen through 4.8.x improperly interacts with the Memory Protection Extensions (MPX) and Protection Key (PKU) features, which makes it easier for guest OS users to defeat ASLR and other protection mechanisms, aka XSA-220.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.7.1
xen xen 4.5.1
xen xen 4.5.0
xen xen 4.6.5
xen xen 4.6.2
xen xen 4.6.4
xen xen 4.8.1
xen xen 4.8.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.5.5
xen xen 4.6.1
CVE-2017-10917 HIGH

Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) or possibly obtain sensitive information, aka XSA-221.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10918 HIGH

Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host OS access, aka XSA-222.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10919 MEDIUM

Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10920 HIGH

The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed by only a GNTMAP_host_map unmapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 1.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10921 HIGH

The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map mapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 2.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10922 MEDIUM

The grant-table feature in Xen through 4.8.x mishandles MMIO region grant references, which allows guest OS users to cause a denial of service (loss of grant trackability), aka XSA-224 bug 3.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-10923 MEDIUM

Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.6.5
xen xen 4.7.1
xen xen 4.6.2
xen xen 4.6.4
xen xen 4.8.1
xen xen 4.8.0
xen xen 4.6.0
xen xen 4.6.1
CVE-2017-12134 HIGH

The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-682,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.2
citrix xenserver 7.0
citrix xenserver 7.1
citrix xenserver 6.5
CVE-2017-12135 MEDIUM

Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-682,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.2
debian debian_linux 8.0
debian debian_linux 9.0
citrix xenserver 7.0
citrix xenserver 7.1
citrix xenserver 6.5
CVE-2017-12136 MEDIUM

Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen 4.7.1
debian debian_linux 9.0
citrix xenserver 7.1
xen xen 4.6.6
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.6.5
citrix xenserver 6.0.2
xen xen 4.6.4
xen xen 4.7.2
citrix xenserver 6.2.0
xen xen 4.9.0
xen xen 4.8.1
citrix xenserver 7.2
debian debian_linux 8.0
xen xen 4.8.0
xen xen 4.6.0
citrix xenserver 7.0
xen xen 4.7.3
xen xen 4.6.1
citrix xenserver 6.5
CVE-2017-12137 HIGH

arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
citrix xenserver 6.0.2
citrix xenserver 6.2.0
xen xen *
citrix xenserver 7.2
debian debian_linux 8.0
debian debian_linux 9.0
citrix xenserver 7.0
citrix xenserver 7.1
citrix xenserver 6.5
CVE-2017-12855 LOW

Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.7.1
xen xen 4.5.1
xen xen 4.6.6
xen xen 4.5.0
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.6.5
xen xen 4.6.4
xen xen 4.7.2
xen xen 4.9.0
xen xen 4.8.1
xen xen 4.8.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.7.3
xen xen 4.5.5
xen xen 4.6.1
CVE-2017-14316 HIGH

A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-14317 MEDIUM

A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it (including domain creation / destruction, ballooning, device changes, etc.).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-14318 MEDIUM

An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However, the function does not check to see if the owning domain actually has a grant table or not. Some special domains, such as `DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant tables. Hence, if __gnttab_cache_flush operates on a page owned by these special domains, it will attempt to dereference a NULL pointer in the domain struct.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
xen xen 4.7.1
xen xen 4.5.1
xen xen 4.6.6
xen xen 4.5.0
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.6.5
xen xen 4.6.4
xen xen 4.7.2
xen xen 4.9.0
xen xen 4.8.1
xen xen 4.8.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.7.3
xen xen 4.5.5
xen xen 4.6.1
CVE-2017-14319 HIGH

A grant unmapping issue was discovered in Xen through 4.9.x. When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-14431 MEDIUM

Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
xen xen 4.1.4
xen xen 4.5.0
xen xen 3.3.2
xen xen 4.3.1
xen xen 4.1.0
xen xen 4.6.1
xen xen 4.0.3
xen xen 4.7.1
xen xen 4.3.2
xen xen 4.0.0
xen xen 4.4.2
xen xen 4.6.4
xen xen 4.8.1
xen xen 4.5.2
xen xen 4.5.5
xen xen 4.2.2
xen xen 4.1.2
xen xen 4.1.3
xen xen 3.4.0
xen xen 3.4.4
xen xen 4.4.1
xen xen 4.2.4
xen xen 4.2.0
xen xen 4.1.1
xen xen 4.2.1
xen xen 4.8.0
xen xen 4.3.4
xen xen 3.4.1
xen xen 4.0.2
xen xen 4.1.6.1
xen xen 4.0.1
xen xen 3.3.1
xen xen 4.0.4
xen xen 4.5.1
xen xen 4.1.5
xen xen 4.2.5
xen xen 4.4.3
xen xen 4.6.5
xen xen 3.4.2
xen xen 4.6.2
xen xen 4.1.6
xen xen 3.4.3
xen xen 3.3.0
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.2.3
xen xen 4.4.4
xen xen 4.4.0
xen xen 4.3.0
xen xen 4.3.3
CVE-2017-15588 MEDIUM

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen 4.9.0
CVE-2017-15589 LOW

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen 4.9.0
CVE-2017-15590 MEDIUM

An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.9.0
CVE-2017-15591 MEDIUM

An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen 4.7.1
xen xen 4.5.1
xen xen 4.6.6
xen xen 4.5.0
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.6.5
xen xen 4.6.4
xen xen 4.7.2
xen xen 4.9.0
xen xen 4.8.1
xen xen 4.8.0
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.7.3
xen xen 4.5.5
xen xen 4.6.1
CVE-2017-15592 HIGH

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-668,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-15593 MEDIUM

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-15594 MEDIUM

An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-15595 HIGH

An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-15596 MEDIUM

An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen 4.4.1
xen xen 4.5.4
xen xen 4.6.6
xen xen 4.5.0
xen xen 4.7.2
xen xen 4.8.0
xen xen 4.6.1
xen xen 4.7.1
xen xen 4.5.1
xen xen 4.4.3
xen xen 4.7.0
xen xen 4.6.3
xen xen 4.6.5
xen xen 4.6.2
xen xen 4.4.2
xen xen 4.6.4
xen xen 4.9.0
xen xen 4.8.1
xen xen 4.5.2
xen xen 4.5.3
xen xen 4.6.0
xen xen 4.8.2
xen xen 4.4.4
xen xen 4.7.3
xen xen 4.4.0
xen xen 4.5.5
CVE-2017-15597 HIGH

An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-200,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17044 MEDIUM

An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-754,CWE-755,CWE-835,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17045 HIGH

An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17046 LOW

An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM after a reboot, because disjoint blocks, and physical addresses that do not start at zero, are mishandled.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17563 MEDIUM

An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17564 MEDIUM

An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-388,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17565 MEDIUM

An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-17566 MEDIUM

An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2017-2615 HIGH

Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.4
redhat openstack 9
redhat openstack 8
qemu qemu *
citrix xenserver 6.0.2
redhat enterprise_linux_server_aus 7.3
citrix xenserver 6.2.0
redhat enterprise_linux_server 7.0
xen xen *
citrix xenserver 7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 6.0
citrix xenserver 6.5
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
xen xen 4.7.1
redhat enterprise_linux_server_aus 7.4
citrix xenserver 7.1
redhat openstack 7.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.3
redhat openstack 10
redhat enterprise_linux_server 6.0
redhat openstack 5.0
redhat openstack 6.0
CVE-2017-2620 HIGH

Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-125,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.4
redhat openstack 9
redhat openstack 8
qemu qemu *
citrix xenserver 6.0.2
redhat enterprise_linux_server_aus 7.3
citrix xenserver 6.2.0
redhat enterprise_linux_server 7.0
xen xen *
citrix xenserver 7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 6.0
citrix xenserver 6.5
redhat enterprise_linux_desktop 6.0
debian debian_linux 7.0
xen xen 4.7.1
redhat enterprise_linux_server_aus 7.4
citrix xenserver 7.1
redhat openstack 7.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.3
redhat openstack 10
redhat enterprise_linux_server 6.0
redhat openstack 5.0
redhat openstack 6.0
CVE-2017-7228 HIGH

An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-129,

Products Affected

Vendor Product Version
xen xen -
CVE-2017-7995 LOW

Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
suse manager 2.1
suse manager_proxy 2.1
novell suse_linux_enterprise_server 11.0
xen xen *
novell suse_linux_enterprise_point_of_sale 11.0
suse openstack_cloud 5
CVE-2017-8903 HIGH

Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hypercall, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-213.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.8.1
xen xen 4.8.0
CVE-2017-8904 MEDIUM

Xen through 4.8.x mishandles the "contains segment descriptors" property during GNTTABOP_transfer (aka guest transfer) operations, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-214.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.8.1
xen xen 4.8.0
CVE-2017-8905 MEDIUM

Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-215.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-682,

Products Affected

Vendor Product Version
xen xen 4.6.3
xen xen 4.6.5
xen xen 4.6.2
xen xen 4.6.4
xen xen 4.6.0
xen xen 4.6.1
CVE-2018-10471 MEDIUM

An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect fix for CVE-2017-5754.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-10472 LOW

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-10981 MEDIUM

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 7.0
xen xen *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2018-10982 HIGH

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 7.0
xen xen *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2018-12891 MEDIUM

An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86 HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2018-12892 MEDIUM

An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images. Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected). Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected; they are always read only. Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-12893 LOW

An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-14678 HIGH

An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-665,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
linux linux_kernel *
xen xen *
debian debian_linux 8.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
CVE-2018-15468 MEDIUM

An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
xen xen *
CVE-2018-15469 MEDIUM

An issue was discovered in Xen through 4.11.x. ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 8.0
CVE-2018-15470 MEDIUM

An issue was discovered in Xen through 4.11.x. The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual, the order of evaluation of subexpressions is not specified. In practice, different implementations behave differently. Thus, oxenstored may not enforce the configured quota-maxentity. This allows a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen *
CVE-2018-15471 MEDIUM

An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
linux linux_kernel *
xen xen *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
CVE-2018-18883 HIGH

An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
xen xen *
CVE-2018-19961 MEDIUM

An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-459,

Products Affected

Vendor Product Version
citrix xenserver 7.6
xen xen *
debian debian_linux 9.0
citrix xenserver 7.0
citrix xenserver 7.1
citrix xenserver 7.5
CVE-2018-19962 MEDIUM

An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
citrix xenserver 7.6
xen xen *
debian debian_linux 9.0
citrix xenserver 7.0
citrix xenserver 7.1
citrix xenserver 7.5
CVE-2018-19963 MEDIUM

An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
xen xen 4.11.0
CVE-2018-19964 MEDIUM

An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
CVE-2018-19965 MEDIUM

An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
citrix xenserver 7.6
xen xen *
debian debian_linux 9.0
citrix xenserver 7.0
citrix xenserver 7.1
citrix xenserver 7.5
CVE-2018-19966 HIGH

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-436,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-19967 MEDIUM

An issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS hang) because Xen does not work around Intel's mishandling of certain HLE transactions associated with the KACQUIRE instruction prefix.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-5244 MEDIUM

In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. This allows guest OS administrators to cause a denial of service (host OS memory consumption) by rebooting many times.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
CVE-2018-7540 MEDIUM

An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-7541 MEDIUM

An issue was discovered in Xen through 4.10.x allowing guest OS users to cause a denial of service (hypervisor crash) or gain privileges by triggering a grant-table transition from v2 to v1.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-7542 MEDIUM

An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
CVE-2018-8897 HIGH

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
redhat enterprise_linux_workstation 7.0
apple mac_os_x *
synology diskstation_manager 6.1
citrix xenserver 6.0.2
citrix xenserver 6.2.0
redhat enterprise_linux_server 7.0
citrix xenserver 7.2
xen xen -
citrix xenserver 7.0
citrix xenserver 7.3
canonical ubuntu_linux 14.04
redhat enterprise_virtualization_manager 3.0
citrix xenserver 6.5
debian debian_linux 7.0
canonical ubuntu_linux 17.10
debian debian_linux 9.0
citrix xenserver 7.1
synology diskstation_manager 5.2
freebsd freebsd *
synology diskstation_manager 6.0
debian debian_linux 8.0
citrix xenserver 7.4
synology skynas -
CVE-2019-17340 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17341 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17342 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17343 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging incorrect use of the HVM physmap concept for PV domains.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17344 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-running operation that exists to support restartability of PTE updates.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-662,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17345 MEDIUM

An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17346 HIGH

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17347 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17348 MEDIUM

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17349 MEDIUM

An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17350 MEDIUM

An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a compare-and-exchange operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2019-17351 MEDIUM

An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
linux linux_kernel *
xen xen *
CVE-2019-18420 MEDIUM

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via a VCPUOP_initialise hypercall. hypercall_create_continuation() is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG(), which crashes Xen. One path, via the VCPUOP_initialise hypercall, has a bad format character. The BUG() can be hit if VCPUOP_initialise executes for a sufficiently long period of time for a continuation to be created. Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen versions 4.6 and newer are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only x86 PV guests can exploit the vulnerability. HVM and PVH guests, and guests on ARM systems, cannot exploit the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
fedoraproject fedora 31
CVE-2019-18421 HIGH

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
opensuse leap 15.0
fedoraproject fedora 31
CVE-2019-18422 HIGH

An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
fedoraproject fedora 31
CVE-2019-18423 HIGH

An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m->max_mapped_gfn will be updated using the original frame. It would be possible to set p2m->max_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one allowing "highest mapped + 1" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
fedoraproject fedora 31
CVE-2019-18424 MEDIUM

An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
opensuse leap 15.0
fedoraproject fedora 31
CVE-2019-18425 HIGH

An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 29
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
opensuse leap 15.0
fedoraproject fedora 31
CVE-2019-19577 HIGH

An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain privileges by triggering data-structure access during pagetable-height updates. When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables (the pagetable height) in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done without taking a lock which is necessary for safe operation. A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out. Additionally, there is a potential memory leak of 4kb per guest boot, under memory pressure. Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable. ARM systems are not vulnerable. Only systems where guests are given direct access to physical devices are vulnerable. Systems which do not use PCI pass-through are not vulnerable. Only HVM guests can exploit the vulnerability. PV and PVH guests cannot. All versions of Xen with IOMMU support are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 0.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-401,CWE-662,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 31
CVE-2019-19578 HIGH

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some "linear_pt_entry" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-682,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 31
CVE-2019-19579 HIGH

An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 30
CVE-2019-19580 MEDIUM

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations, because of an incomplete fix for CVE-2019-18421. XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All security-supported versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Note that these attacks require very precise timing, which may be difficult to exploit in practice.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 31
CVE-2019-19581 LOW

An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access may occur. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. 32-bit Arm systems are vulnerable. 64-bit Arm systems are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-119,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 31
CVE-2019-19582 LOW

An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-835,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 31
CVE-2019-19583 MEDIUM

An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
xen xen *
fedoraproject fedora 30
debian debian_linux 9.0
fedoraproject fedora 31
CVE-2020-11739 MEDIUM

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
fedoraproject fedora 32
xen xen *
xen xen 4.13.0
fedoraproject fedora 30
fedoraproject fedora 31
CVE-2020-11740 LOW

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-212,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
fedoraproject fedora 32
xen xen *
xen xen 4.13.0
fedoraproject fedora 30
fedoraproject fedora 31
CVE-2020-11741 MEDIUM

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-909,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
fedoraproject fedora 32
xen xen *
xen xen 4.13.0
fedoraproject fedora 30
fedoraproject fedora 31
CVE-2020-11742 LOW

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 32
xen xen *
xen xen 4.13.0
CVE-2020-11743 LOW

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-755,

Products Affected

Vendor Product Version
fedoraproject fedora 32
xen xen *
xen xen 4.13.0
CVE-2020-15563 MEDIUM

An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from 4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected. Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In addition, there needs to be an entity actively monitoring a guest's video frame buffer (typically for display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-15564 MEDIUM

An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions that require a specific alignment. Unfortunately, there is no check that the address provided by the guest will be correctly aligned. As a result, a malicious guest could cause a hypervisor crash by passing a misaligned address. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). All Xen versions are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
xen xen *
fedoraproject fedora 31
CVE-2020-15565 MEDIUM

An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
fedoraproject fedora 32
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-15566 MEDIUM

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1) will be considered an error. All the other cases will provide a valid port and will result in a crash when trying to access the event channel. When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and later are affected. All architectures are affected. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event-channel limit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-754,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
CVE-2020-15567 MEDIUM

An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
fedoraproject fedora 32
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-15852 MEDIUM

An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp steelstore_cloud_integrated_storage -
netapp cloud_backup -
xen xen *
netapp solidfire_baseboard_management_controller -
CVE-2020-25595 MEDIUM

An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25596 LOW

An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service. All versions of Xen from 3.2 onwards are vulnerable. Only x86 systems are vulnerable. ARM platforms are not vulnerable. Only x86 systems that support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur, and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable. Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability.

CVSS 2.0

Severity: LOW

Problem Type: CWE-74,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25597 MEDIUM

An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests permitted to create more than the default number of event channels are vulnerable. This number depends on the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting max_event_channels, are not vulnerable.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
xen xen *
fedoraproject fedora 31
CVE-2020-25598 LOW

An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. A buggy or malicious HVM stubdomain can cause an RCU reference to be leaked. This causes subsequent administration operations, (e.g., CPU offline) to livelock, resulting in a host Denial of Service. The buggy codepath has been present since Xen 4.12. Xen 4.14 and later are vulnerable to the DoS. The side effects are believed to be benign on Xen 4.12 and 4.13, but patches are provided nevertheless. The vulnerability can generally only be exploited by x86 HVM VMs, as these are generally the only type of VM that have a Qemu stubdomain. x86 PV and PVH domains, as well as ARM VMs, typically don't use a stubdomain. Only VMs using HVM stubdomains can exploit the vulnerability. VMs using PV stubdomains, or with emulators running in dom0, cannot exploit the vulnerability.

CVSS 2.0

Severity: LOW

Problem Type: CWE-670,

Products Affected

Vendor Product Version
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25599 MEDIUM

An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (DoS). Information leaks cannot be ruled out. All Xen versions from 4.5 onwards are vulnerable. Xen versions 4.4 and earlier are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25600 MEDIUM

An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties. At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly. Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail. Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure. An unprivileged guest may cause another domain, in particular Domain 0, to misbehave. This may lead to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only x86 32-bit domains servicing other domains are vulnerable. Arm systems, as well as x86 64-bit domains, are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25601 MEDIUM

An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25602 MEDIUM

An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a #GP fault, which is the consequence of trying to read this MSR on non-Intel hardware. A buggy or malicious PV guest administrator can crash Xen, resulting in a host Denial of Service. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only Xen versions 4.11 and onwards are vulnerable. 4.10 and earlier are not vulnerable. Only x86 systems that do not implement the MISC_ENABLE MSR (0x1a0) are vulnerable. AMD and Hygon systems do not implement this MSR and are vulnerable. Intel systems do implement this MSR and are not vulnerable. Other manufacturers have not been checked. Only x86 PV guests can exploit the vulnerability. x86 HVM/PVH guests cannot exploit the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25603 MEDIUM

An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-670,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-25604 LOW

An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-27670 MEDIUM

An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry can be half-updated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-345,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-27671 MEDIUM

An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page IOMMU TLB flushes is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-27672 MEDIUM

An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 10.0
opensuse leap 15.1
xen xen *
opensuse leap 15.2
fedoraproject fedora 31
CVE-2020-27673 MEDIUM

An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
linux linux_kernel *
opensuse leap 15.1
xen xen *
debian debian_linux 9.0
opensuse leap 15.2
linux linux_kernel 5.10
CVE-2020-27674 MEDIUM

An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 1.8 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
fedoraproject fedora 31
CVE-2020-28368 LOW

Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-862,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
xen xen *
CVE-2020-29040 MEDIUM

An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-193,CWE-787,

Products Affected

Vendor Product Version
xen xen *
CVE-2020-29479 HIGH

An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify permissions, list, and delete the root node. (Deleting the whole xenstore tree is a host-wide denial of service.) Achieving xenstore write access is also possible. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-862,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29480 LOW

An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.3 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 0.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-862,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29481 MEDIUM

An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is being destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid. Because all Xenstore entries of a guest below /local/domain/<domid> are being deleted by Xen tools when a guest is destroyed, only Xenstore entries of other guests still running are affected. For example, a newly created guest domain might be able to read sensitive information that had belonged to a previously existing guest domain. Both Xenstore implementations (C and Ocaml) are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29482 MEDIUM

An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause "xenstore-ls -r" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-426,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29483 MEDIUM

An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from xenstored's internal management, resulting in the same actions as if the guest had been destroyed, including sending an @releaseDomain event. @releaseDomain events do not say that the guest has been removed. All watchers of this event must look at the states of all guests to find the guest that has been removed. When an @releaseDomain is generated due to a domain xenstored protocol violation, because the guest is still running, the watchers will not react. Later, when the guest is actually destroyed, xenstored will no longer have it stored in its internal data base, so no further @releaseDomain event will be sent. This can lead to a zombie domain; memory mappings of that guest's memory will not be removed, due to the missing event. This zombie domain will be cleaned up only after another domain is destroyed, as that will trigger another @releaseDomain event. If the device model of the guest that violated the Xenstore protocol is running in a stub-domain, a use-after-free case could happen in xenstored, after having removed the guest from its internal data base, possibly resulting in a crash of xenstored. A malicious guest can block resources of the host for a period after its own death. Guests with a stub domain device model can eventually crash xenstored, resulting in a more serious denial of service (the prevention of any further domain management operations). Only the C variant of Xenstore is affected; the Ocaml variant is not affected. Only HVM guests with a stubdom device model can cause a serious DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29484 MEDIUM

An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29485 MEDIUM

An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a guest XS_RESET_WATCHES request, not all tracking information is freed. A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. Only systems using the Ocaml Xenstored implementation are vulnerable. Systems using the C Xenstored implementation are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29486 MEDIUM

An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. However, node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory A malicious guest administrator can cause a denial of service against a specific guest or against the whole host. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 1.5 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29487 HIGH

An issue was discovered in Xen XAPI before 2020-12-15. Certain xenstore keys provide feedback from the guest, and are therefore watched by toolstack. Specifically, keys are watched by xenopsd, and data are forwarded via RPC through message-switch to xapi. The watching logic in xenopsd sends one RPC update containing all data, any time any single xenstore key is updated, and therefore has O(N^2) time complexity. Furthermore, message-switch retains recent (currently 128) RPC messages for diagnostic purposes, yielding O(M*N) space complexity. The quantity of memory a single guest can monopolise is bounded by xenstored quota, but the quota is fairly large. It is believed to be in excess of 1G per malicious guest. In practice, this manifests as a host denial of service, either through message-switch thrashing against swap, or OOMing entirely, depending on dom0's configuration. (There are no quotas in xenopsd to limit the quantity of keys that result in RPC traffic.) A buggy or malicious guest can cause unreasonable memory usage in dom0, resulting in a host denial of service. All versions of XAPI are vulnerable. Systems that are not using the XAPI toolstack are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,

Products Affected

Vendor Product Version
xen xapi *
CVE-2020-29566 MEDIUM

An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, and thus could result in a stack overflow. A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are affected. Arm systems are not affected. Only x86 stubdomains serving HVM guests can exploit the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29567 MEDIUM

An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU may send an interrupt to itself, in the expectation that this IRQ will be delivered only after the condition preventing the cleanup has cleared. For two specific IRQ vectors, this expectation was violated, resulting in a continuous stream of self-interrupts, which renders the CPU effectively unusable. A domain with a passed through PCI device can cause lockup of a physical CPU, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with physical PCI devices passed through to them can exploit the vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.5 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
CVE-2020-29568 MEDIUM

An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
debian debian_linux 9.0
CVE-2020-29569 HIGH

An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
xen xen *
debian debian_linux 9.0
netapp solidfire_&_hci_storage_node -
netapp hci_compute_node_bios -
CVE-2020-29570 MEDIUM

An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.5 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2020-29571 MEDIUM

An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn't protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Only Arm systems may be vulnerable. Whether a system is vulnerable depends on the specific CPU. x86 systems are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.5 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2021-26313 LOW

Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-208,CWE-203,

Products Affected

Vendor Product Version
debian debian_linux 10.0
intel core_i7-7700k -
broadcom bcm2711 -
xen xen *
intel xeon_silver_4214 -
intel core_i9-9900k -
intel core_i7-10700k -
arm cortex-a72 -
CVE-2021-26314 LOW

Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-208,CWE-203,

Products Affected

Vendor Product Version
intel core_i7-7700k -
broadcom bcm2711 -
fedoraproject fedora 33
xen xen *
intel xeon_silver_4214 -
intel core_i9-9900k -
intel core_i7-10700k -
fedoraproject fedora 34
arm cortex-a72 -
CVE-2021-26933 LOW

An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page to a guest. Unfortunately, the operation to clean the cache is happening before checking if the page was scrubbed. Therefore there is no guarantee when all the writes will reach the memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
xen xen *
CVE-2021-27379 MEDIUM

An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 10.0
xen xen *
CVE-2021-28039 LOW

An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-131,

Products Affected

Vendor Product Version
linux linux_kernel *
netapp cloud_backup -
xen xen -
netapp solidfire_baseboard_management_controller_firmware -
CVE-2021-28687 MEDIUM

HVM soft-reset crashes toolstack libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the "soft reset" feature was implemented, the libxl__domain_suspend_state structure didn't require any initialization or disposal. At some point later, an initialization function was introduced for the structure; but the "soft reset" path wasn't refactored to call the initialization function. When a guest nwo initiates a "soft reboot", uninitialized data structure leads to an assert() when later code finds the structure in an unexpected state. The effect of this is to crash the process monitoring the guest. How this affects the system depends on the structure of the toolstack. For xl, this will have no security-relevant effect: every VM has its own independent monitoring process, which contains no state. The domain in question will hang in a crashed state, but can be destroyed by `xl destroy` just like any other non-cooperating domain. For daemon-based toolstacks linked against libxl, such as libvirt, this will crash the toolstack, losing the state of any in-progress operations (localized DoS), and preventing further administrator operations unless the daemon is configured to restart automatically (system-wide DoS). If crashes "leak" resources, then repeated crashes could use up resources, also causing a system-wide DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-909,

Products Affected

Vendor Product Version
xen xen 4.15.0
xen xen *
CVE-2021-28689 LOW

x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approach, so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems, and the availability of explicit hardware support for virtualization, fixing speculation issues in ring 1 is not a priority for processor companies. Indirect Branch Restricted Speculation (IBRS) is an architectural x86 extension put together to combat speculative execution sidechannel attacks, including Spectre v2. It was retrofitted in microcode to existing CPUs. For more details on Spectre v2, see: http://xenbits.xen.org/xsa/advisory-254.html However, IBRS does not architecturally protect ring 0 from predictions learnt in ring 1. For more details, see: https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation Similar situations may exist with other mitigations for other kinds of speculative execution attacks. The situation is quite likely to be similar for speculative execution attacks which have yet to be discovered, disclosed, or mitigated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-212,

Products Affected

Vendor Product Version
xen xen *
CVE-2021-28690 MEDIUM

x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.15.0
xen xen *
CVE-2021-28692 MEDIUM

inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actually being detected is inappropriate: - on Intel hardware guests which did not originally cause the timeout may be marked as crashed, - on AMD hardware higher layer callers would not be notified of the issue, making them continue as if the IOMMU operation succeeded.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
xen xen *
CVE-2021-28693 LOW

xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, it was discovered that modules will not be scrubbed on Arm.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen 4.15.0
xen xen *
CVE-2021-28694 MEDIUM

IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28695 MEDIUM

IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 33
xen xen *
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28696 MEDIUM

IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28697 MEDIUM

grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28698 MEDIUM

long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of "cooperating" guests may, however, cause the effects to be more severe.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28699 MEDIUM

inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28700 MEDIUM

xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28701 MEDIUM

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28702 MEDIUM

PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO Pagetables. Subsequent DMA or interrupts from the device will have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.6 HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 0.9 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
fedoraproject fedora 33
xen xen *
debian debian_linux 9.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28703 MEDIUM

grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
xen xen *
CVE-2021-28704 MEDIUM

PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 9.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28705 MEDIUM

issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
xen xen 4.15.0
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
xen xen 4.15.1
CVE-2021-28706 HIGH

guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28707 MEDIUM

PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28708 MEDIUM

PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2021-28709 MEDIUM

issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
xen xen 4.15.0
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
xen xen 4.15.1
CVE-2021-28710 MEDIUM

certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
xen xen 4.15.0
fedoraproject fedora 35
CVE-2021-28711 LOW

Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 11.0
debian debian_linux 9.0
xen xen -
CVE-2021-28712 LOW

Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 11.0
debian debian_linux 9.0
xen xen -
CVE-2021-28713 LOW

Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 10.0
debian debian_linux 11.0
debian debian_linux 9.0
xen xen -
CVE-2021-3308 MEDIUM

An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence will lead to vector exhaustion on the system, not allowing further PCI pass through devices to work properly. HVM guests with PCI pass through devices can mount a Denial of Service (DoS) attack affecting the pass through of PCI devices to other guests or the hardware domain. In the latter case, this would affect the entire host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 32
xen xen *
xen xen 4.12.4
xen xen 4.12.3
CVE-2022-21123 LOW

Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-459,CWE-459,

Products Affected

Vendor Product Version
debian debian_linux 10.0
intel sgx_dcap *
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
debian debian_linux 9.0
intel sgx_psw *
fedoraproject fedora 35
vmware esxi 7.0
intel sgx_sdk *
CVE-2022-21125 LOW

Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-459,CWE-459,

Products Affected

Vendor Product Version
debian debian_linux 10.0
intel sgx_dcap *
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
debian debian_linux 9.0
intel sgx_psw *
fedoraproject fedora 35
vmware esxi 7.0
intel sgx_sdk *
CVE-2022-21127 LOW

Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 2.0

Severity: LOW

Problem Type: CWE-459,CWE-459,

Products Affected

Vendor Product Version
debian debian_linux 10.0
intel sgx_dcap *
xen xen *
debian debian_linux 11.0
intel sgx_psw *
intel sgx_sdk *
CVE-2022-21166 LOW

Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-459,CWE-459,

Products Affected

Vendor Product Version
debian debian_linux 10.0
intel sgx_dcap *
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
debian debian_linux 9.0
intel sgx_psw *
fedoraproject fedora 35
vmware esxi 7.0
intel sgx_sdk *
CVE-2022-23033 MEDIUM

arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-404,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 34
CVE-2022-23034 LOW

A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-191,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
debian debian_linux 9.0
fedoraproject fedora 34
CVE-2022-23035 MEDIUM

Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-459,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 34
CVE-2022-23036 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23037 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23038 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23039 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23040 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23041 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23042 MEDIUM

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
CVE-2022-23824

IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
amd ryzen_5_3450g_firmware -
amd ryzen_threadripper_pro_5965wx_firmware -
amd athlon_x4_830_firmware -
amd a10-9600p_firmware -
amd ryzen_3_5400u_firmware -
amd athlon_gold_3150u_firmware -
amd epyc_7252_firmware -
amd epyc_7282_firmware -
amd ryzen_7_5825u_firmware -
amd ryzen_5_2600_firmware -
amd epyc_7402p_firmware -
amd ryzen_threadripper_2970wx_firmware -
amd ryzen_3_3250u_firmware -
amd epyc_7543_firmware -
amd ryzen_7_5825c_firmware -
amd epyc_7373x_firmware -
amd ryzen_9_4900h_firmware -
amd epyc_7f72_firmware -
amd a10-9630p_firmware -
amd ryzen_3_4300g_firmware -
amd epyc_7573x_firmware -
amd ryzen_7_3750h_firmware -
amd epyc_7402_firmware -
amd athlon_x4_940_firmware -
amd a12-9700p_firmware -
amd ryzen_threadripper_3960x_firmware -
amd epyc_7551_firmware -
amd ryzen_7_4700u_firmware -
amd ryzen_5_2600h_firmware -
amd ryzen_5_2600x_firmware -
amd ryzen_9_5980hs_firmware -
amd epyc_7543p_firmware -
amd ryzen_3_3300u_firmware -
amd ryzen_5_3400g_firmware -
amd epyc_7h12_firmware -
amd ryzen_3_5425c_firmware -
amd epyc_72f3_firmware -
amd epyc_7281_firmware -
amd epyc_7343_firmware -
amd ryzen_7_2700x_firmware -
amd epyc_7351p_firmware -
amd epyc_7302p_firmware -
amd athlon_silver_3050u_firmware -
amd ryzen_3_5125c_firmware -
amd epyc_7301_firmware -
amd a6-9210_firmware -
amd epyc_74f3_firmware -
amd ryzen_3_3200u_firmware -
amd ryzen_5_5600u_firmware -
amd ryzen_5_5600hs_firmware -
amd epyc_7351_firmware -
amd epyc_7643_firmware -
amd ryzen_threadripper_pro_3795wx_firmware -
amd epyc_7513_firmware -
fedoraproject fedora 37
amd ryzen_7_2700_firmware -
amd epyc_7662_firmware -
amd epyc_7302_firmware -
amd ryzen_5_4600u_firmware -
amd ryzen_threadripper_pro_3945wx_firmware -
amd epyc_7502p_firmware -
amd epyc_7773x_firmware -
amd ryzen_5_4600h_firmware -
amd ryzen_7_pro_3700u_firmware -
amd epyc_7413_firmware -
amd ryzen_3_4300ge_firmware -
amd epyc_7313_firmware -
amd a9-9420_firmware -
amd athlon_x4_835_firmware -
amd epyc_7713_firmware -
amd ryzen_3_3300g_firmware -
amd epyc_7552_firmware -
amd ryzen_5_3600_firmware -
amd ryzen_7_2700u_firmware -
amd epyc_7001_firmware -
amd ryzen_threadripper_3990x_firmware -
amd ryzen_3_2300u_firmware -
amd ryzen_7_3800x_firmware -
amd epyc_7371_firmware -
amd epyc_7262_firmware -
amd ryzen_5_3580u_firmware -
amd ryzen_3_5425u_firmware -
amd ryzen_5_5625u_firmware -
amd epyc_7473x_firmware -
amd ryzen_7_2800h_firmware -
amd ryzen_7_3780u_firmware -
amd ryzen_threadripper_3970x_firmware -
amd epyc_7713p_firmware -
amd epyc_7002_firmware -
amd epyc_7452_firmware -
amd ryzen_5_3600xt_firmware -
amd epyc_7551p_firmware -
amd ryzen_9_5900hs_firmware -
amd ryzen_7_5800hs_firmware -
amd epyc_7443p_firmware -
amd ryzen_5_3500u_firmware -
amd ryzen_7_5800u_firmware -
amd ryzen_7_5800h_firmware -
xen xen -
amd epyc_7f32_firmware -
amd epyc_7401_firmware -
amd epyc_7702_firmware -
amd ryzen_7_3800xt_firmware -
amd epyc_7642_firmware -
amd a12-9730p_firmware -
amd ryzen_7_4800h_firmware -
amd epyc_7763_firmware -
amd ryzen_3_2200u_firmware -
amd ryzen_9_5900hx_firmware -
amd ryzen_threadripper_pro_5955wx_firmware -
amd ryzen_threadripper_2950x_firmware -
amd ryzen_threadripper_pro_3955wx_firmware -
amd ryzen_5_3600x_firmware -
amd epyc_7501_firmware -
amd ryzen_threadripper_pro_3995wx_firmware -
amd athlon_x4_950_firmware -
amd ryzen_5_4600g_firmware -
amd ryzen_threadripper_pro_5945wx_firmware -
amd a4-9120_firmware -
amd ryzen_3_3300x_firmware -
amd epyc_7451_firmware -
amd athlon_x4_880k_firmware -
amd ryzen_7_4800u_firmware -
amd epyc_7272_firmware -
amd a6-9220_firmware -
amd ryzen_threadripper_pro_5995wx_firmware -
amd athlon_x4_970_firmware -
amd ryzen_threadripper_2920x_firmware -
amd ryzen_5_3550h_firmware -
amd epyc_7003_firmware -
amd athlon_x4_760k_firmware -
amd ryzen_7_3700x_firmware -
amd epyc_7601_firmware -
fedoraproject fedora 35
amd ryzen_5_5625c_firmware -
amd epyc_7261_firmware -
amd ryzen_5_4600ge_firmware -
amd epyc_7663_firmware -
amd epyc_7542_firmware -
amd athlon_x4_860k_firmware -
amd a6-9220c_firmware -
amd ryzen_threadripper_2990wx_firmware -
amd a9-9410_firmware -
amd ryzen_7_4700ge_firmware -
amd ryzen_5_2700_firmware -
amd epyc_7742_firmware -
amd athlon_x4_870k_firmware -
amd ryzen_5_4500u_firmware -
amd ryzen_3_3100_firmware -
amd epyc_7313p_firmware -
amd ryzen_7_3700u_firmware -
amd athlon_x4_750_firmware -
amd epyc_7251_firmware -
amd epyc_7352_firmware -
amd ryzen_5_2500u_firmware -
amd epyc_7532_firmware -
amd epyc_7f52_firmware -
amd ryzen_5_5560u_firmware -
amd ryzen_9_5980hx_firmware -
amd epyc_7401p_firmware -
amd epyc_7443_firmware -
amd athlon_x4_845_firmware -
amd epyc_7502_firmware -
amd ryzen_7_4700g_firmware -
amd epyc_75f3_firmware -
amd ryzen_3_4300u_firmware -
amd ryzen_threadripper_pro_5975wx_firmware -
amd athlon_x4_840_firmware -
amd ryzen_5_2700x_firmware -
amd ryzen_5_5600h_firmware -
CVE-2022-23960 LOW

Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
arm neoverse-v1_firmware -
arm cortex-x2_firmware -
arm cortex-a77_firmware -
arm neoverse-e1_firmware -
arm cortex-a72_firmware -
debian debian_linux 9.0
arm cortex-a78_firmware -
arm cortex-a65ae_firmware -
arm neoverse_n1_firmware -
arm cortex-a78ae_firmware -
arm cortex-a710_firmware -
arm cortex-a65_firmware -
arm neoverse_n2_firmware -
debian debian_linux 10.0
arm cortex-x1_firmware -
arm cortex-a57_firmware -
arm cortex-a73_firmware -
arm cortex-a75_firmware -
xen xen -
arm cortex-a76_firmware -
arm cortex-r8_firmware -
arm cortex-a76ae_firmware -
arm cortex-r7_firmware -
CVE-2022-26356 MEDIUM

Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H 1.1 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-667,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2022-26357 MEDIUM

race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2022-26358 MEDIUM

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2022-26359 MEDIUM

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2022-26360 MEDIUM

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2022-26361 MEDIUM

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 9.0
xen xen -
fedoraproject fedora 35
fedoraproject fedora 34
CVE-2022-26362 MEDIUM

x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-26363 HIGH

x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-26364 HIGH

x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-26365 LOW

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 10.0
fedoraproject fedora 36
linux linux_kernel 5.19
debian debian_linux 11.0
xen xen -
linux linux_kernel 2.6.12
fedoraproject fedora 35
CVE-2022-29900 LOW

Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-212,

Products Affected

Vendor Product Version
amd ryzen_5_3450g_firmware -
amd ryzen_threadripper_pro_5965wx_firmware -
amd athlon_x4_830_firmware -
amd a10-9600p_firmware -
amd athlon_gold_3150u_firmware -
amd epyc_7252_firmware -
amd epyc_7282_firmware -
amd ryzen_5_2600_firmware -
amd epyc_7402p_firmware -
amd ryzen_threadripper_2970wx_firmware -
amd ryzen_3_3250u_firmware -
amd ryzen_9_4900h_firmware -
amd epyc_7f72_firmware -
amd a10-9630p_firmware -
amd ryzen_3_4300g_firmware -
amd ryzen_7_3750h_firmware -
amd epyc_7402_firmware -
amd athlon_x4_940_firmware -
amd a12-9700p_firmware -
amd ryzen_threadripper_3960x_firmware -
amd epyc_7551_firmware -
amd ryzen_7_4700u_firmware -
amd ryzen_5_2600h_firmware -
amd ryzen_5_2600x_firmware -
amd ryzen_3_3300u_firmware -
amd ryzen_5_3400g_firmware -
amd epyc_7h12_firmware -
amd epyc_7281_firmware -
amd ryzen_7_2700x_firmware -
amd epyc_7351p_firmware -
amd epyc_7302p_firmware -
amd athlon_silver_3050u_firmware -
amd epyc_7301_firmware -
amd a6-9210_firmware -
amd ryzen_3_3200u_firmware -
amd epyc_7351_firmware -
amd ryzen_threadripper_pro_3795wx_firmware -
amd ryzen_7_2700_firmware -
amd epyc_7662_firmware -
amd epyc_7302_firmware -
amd ryzen_5_4600u_firmware -
amd ryzen_threadripper_pro_3945wx_firmware -
amd epyc_7502p_firmware -
amd ryzen_5_4600h_firmware -
amd ryzen_3_4300ge_firmware -
amd a9-9420_firmware -
amd athlon_x4_835_firmware -
amd ryzen_3_3300g_firmware -
amd epyc_7552_firmware -
amd ryzen_5_3600_firmware -
amd ryzen_7_2700u_firmware -
amd epyc_7001_firmware -
amd ryzen_threadripper_3990x_firmware -
amd ryzen_3_2300u_firmware -
amd ryzen_7_3800x_firmware -
amd epyc_7371_firmware -
amd epyc_7262_firmware -
amd ryzen_7_2800h_firmware -
debian debian_linux 11.0
amd ryzen_threadripper_3970x_firmware -
amd epyc_7002_firmware -
amd epyc_7452_firmware -
amd ryzen_5_3600xt_firmware -
amd epyc_7551p_firmware -
amd ryzen_5_3500u_firmware -
xen xen -
amd epyc_7f32_firmware -
amd epyc_7401_firmware -
amd epyc_7702_firmware -
amd ryzen_7_3800xt_firmware -
amd epyc_7642_firmware -
amd a12-9730p_firmware -
amd ryzen_7_4800h_firmware -
amd ryzen_3_2200u_firmware -
amd ryzen_threadripper_pro_5955wx_firmware -
amd ryzen_threadripper_2950x_firmware -
amd ryzen_threadripper_pro_3955wx_firmware -
amd ryzen_5_3600x_firmware -
amd epyc_7501_firmware -
amd ryzen_threadripper_pro_3995wx_firmware -
amd athlon_x4_950_firmware -
amd ryzen_5_4600g_firmware -
amd ryzen_threadripper_pro_5945wx_firmware -
amd a4-9120_firmware -
amd ryzen_3_3300x_firmware -
amd epyc_7451_firmware -
amd athlon_x4_880k_firmware -
amd ryzen_7_4800u_firmware -
amd epyc_7272_firmware -
amd a6-9220_firmware -
amd ryzen_threadripper_pro_5995wx_firmware -
amd athlon_x4_970_firmware -
amd ryzen_threadripper_2920x_firmware -
amd ryzen_5_3550h_firmware -
amd athlon_x4_760k_firmware -
fedoraproject fedora 36
amd ryzen_7_3700x_firmware -
amd epyc_7601_firmware -
fedoraproject fedora 35
amd epyc_7261_firmware -
amd ryzen_5_4600ge_firmware -
amd epyc_7542_firmware -
amd athlon_x4_860k_firmware -
amd a6-9220c_firmware -
amd ryzen_threadripper_2990wx_firmware -
amd a9-9410_firmware -
amd ryzen_7_4700ge_firmware -
amd ryzen_5_2700_firmware -
amd epyc_7742_firmware -
amd athlon_x4_870k_firmware -
amd ryzen_5_4500u_firmware -
amd ryzen_3_3100_firmware -
amd ryzen_7_3700u_firmware -
amd athlon_x4_750_firmware -
amd epyc_7251_firmware -
amd epyc_7352_firmware -
amd ryzen_5_2500u_firmware -
amd epyc_7532_firmware -
amd epyc_7f52_firmware -
amd epyc_7401p_firmware -
amd athlon_x4_845_firmware -
amd epyc_7502_firmware -
amd ryzen_7_4700g_firmware -
amd ryzen_3_4300u_firmware -
amd ryzen_threadripper_pro_5975wx_firmware -
amd athlon_x4_840_firmware -
amd ryzen_5_2700x_firmware -
CVE-2022-29901 LOW

Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerability@ncsc.ch 5.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 1.1 4.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,CWE-668,

Products Affected

Vendor Product Version
intel core_i5-8420t_firmware -
intel core_i7-6822eq_firmware -
intel core_i5-8420_firmware -
intel core_i3-6110u_firmware -
intel core_m3-6y30_firmware -
intel core_i3-6300_firmware -
intel core_i5-6300hq_firmware -
intel core_i7-8569u_firmware -
intel core_i5-6400t_firmware -
intel core_i3-6320_firmware -
intel core_i5-8400_firmware -
intel core_i5-8650k_firmware -
intel core_i5-6310u_firmware -
intel core_i3-8109u_firmware -
intel core_i7-6700hq_firmware -
intel core_i7-6920hq_firmware -
intel core_i3-6100_firmware -
intel core_i7-8700t_firmware -
intel core_i9-8950hk_firmware -
intel core_i3-8130u_firmware -
intel core_i3-6320t_firmware -
intel core_i5-8400t_firmware -
intel core_i3-6100u_firmware -
intel core_i3-6100e_firmware -
intel core_i7-8809g_firmware -
intel core_i3-8145u_firmware -
intel core_i3-6120_firmware -
intel core_m5-6y57_firmware -
intel core_i7-8670_firmware -
vmware esxi 7.0
intel core_i7-8670t_firmware -
intel core_i5-6600t_firmware -
intel core_i7-8709g_firmware -
intel core_i5-8350u_firmware -
intel core_i5-8210y_firmware -
intel core_i7-8510y_firmware -
intel core_i7-6820hq_firmware -
intel core_i5-8365u_firmware -
intel core_i5-6260u_firmware -
intel core_i7-6700k_firmware -
intel core_i3-6300t_firmware -
intel core_i3-8100t_firmware -
intel core_i7-8665u_firmware -
intel core_i7-8750h_firmware -
intel core_i5-6360u_firmware -
intel core_i3-6120t_firmware -
intel core_i5-6500t_firmware -
intel core_i5-6200u_firmware -
intel core_i7-8850h_firmware -
intel core_i5-8600k_firmware -
intel core_i7-6650u_firmware -
intel core_i7-8705g_firmware -
intel core_i3-6167u_firmware -
intel core_i5-6442eq_firmware -
intel core_m3-8100y_firmware -
intel core_i7-6500u_firmware -
intel core_i7-8700b_firmware -
debian debian_linux 11.0
intel core_i7-6770hq_firmware -
intel core_i7-8706g_firmware -
intel core_i5-8250u_firmware -
intel core_i5-6500te_firmware -
intel core_i5-8269u_firmware -
intel core_i3-6100h_firmware -
intel core_i7-6700t_firmware -
intel core_i7-8700_firmware -
intel core_i5-8600t_firmware -
intel core_i5-8300h_firmware -
intel core_i5-8550_firmware -
intel core_i3-6100t_firmware -
intel core_i5-6400_firmware -
intel core_i7-6700te_firmware -
intel core_i5-8265u_firmware -
intel core_i3-8100h_firmware -
intel core_i7-6660u_firmware -
intel core_i5-6600k_firmware -
debian debian_linux 10.0
intel core_i5-6440eq_firmware -
intel core_i3-6100te_firmware -
intel core_i5-8200y_firmware -
intel core_i3-8350k_firmware -
xen xen -
intel core_i5-8310y_firmware -
intel core_i3-8300t_firmware -
intel core_i7-8550u_firmware -
intel core_i7-8500y_firmware -
intel core_i5-6440hq_firmware -
intel core_i5-8400h_firmware -
intel core_i3-8000t_firmware -
intel core_i5-6300u_firmware -
intel core_i5-8600_firmware -
intel core_i3-8300_firmware -
intel core_i3-8000_firmware -
intel core_i5-8550u_firmware -
intel core_i7-6567u_firmware -
intel core_i5-8500b_firmware -
intel core_i7-6870hq_firmware -
intel core_i5-8259u_firmware -
intel core_i7-6510u_firmware -
intel core_i5-6500_firmware -
intel core_i5-6350hq_firmware -
intel core_m7-6y75_firmware -
intel core_i7-6700_firmware -
intel core_i7-8565u_firmware -
intel core_i7-8700k_firmware -
intel core_i7-8559u_firmware -
intel core_i5-6287u_firmware -
intel core_i7-8560u_firmware -
fedoraproject fedora 36
intel core_i5-8400b_firmware -
intel core_i7-8750hf_firmware -
fedoraproject fedora 35
intel core_i7-6560u_firmware -
intel core_i7-8650u_firmware -
intel core_i5-6600_firmware -
intel core_i5-8500t_firmware -
intel core_i7-6820eq_firmware -
intel core_i5-6210u_firmware -
intel core_i7-6970hq_firmware -
intel core_i5-8305g_firmware -
intel core_i3-6102e_firmware -
intel core_i5-8650_firmware -
intel core_i5-8500_firmware -
intel core_i5-6267u_firmware -
intel core_i7-6820hk_firmware -
intel core_i3-8020_firmware -
intel core_m5-6y54_firmware -
intel core_i3-8120_firmware -
intel core_i7-6600u_firmware -
intel core_i7-8557u_firmware -
intel core_i3-8100_firmware -
CVE-2022-33740 LOW

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-212,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 10.0
fedoraproject fedora 36
linux linux_kernel 5.19
debian debian_linux 11.0
xen xen -
linux linux_kernel 2.6.12
fedoraproject fedora 35
CVE-2022-33741 LOW

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 10.0
fedoraproject fedora 36
linux linux_kernel 5.19
debian debian_linux 11.0
xen xen -
linux linux_kernel 2.6.12
fedoraproject fedora 35
CVE-2022-33742 LOW

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 10.0
fedoraproject fedora 36
linux linux_kernel 5.19
debian debian_linux 11.0
xen xen -
linux linux_kernel 2.6.12
fedoraproject fedora 35
CVE-2022-33743 MEDIUM

network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 11.0
xen xen -
CVE-2022-33745

insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary.

Products Affected

Vendor Product Version
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-33746

P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-33747

Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-33748

lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-33749

XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
xen xapi *
CVE-2022-40982

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secure@intel.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

Products Affected

Vendor Product Version
intel xeon_silver_4209t_firmware -
intel celeron_g4900_firmware -
intel xeon_e-2126g_firmware -
intel core_i9-11900t_firmware -
intel xeon_e-2378_firmware -
intel xeon_gold_6230r_firmware -
intel xeon_e3-1245_v6_firmware -
intel core_i5-11500h_firmware -
intel core_i5-9400f_firmware -
intel core_i9-10900x_firmware -
intel xeon_e-2324g_firmware -
intel xeon_platinum_8253_firmware -
intel core_i5-10600_firmware -
intel core_i7-8569u_firmware -
intel core_i5-7360u_firmware -
intel xeon_gold_6240r_firmware -
intel pentium_gold_g6405t_firmware -
netapp all_flash_fabric-attached_storage_9500 -
intel xeon_d-2143it_firmware -
intel core_i5-1030g7_firmware -
intel core_i3-10105_firmware -
intel core_i5-11320h_firmware -
intel xeon_platinum_8280l_firmware -
intel core_i7-8700t_firmware -
intel celeron_g5900_firmware -
intel core_i3-10325_firmware -
intel xeon_gold_5215l_firmware -
intel core_i5-11600k_firmware -
intel xeon_w-2245_firmware -
intel xeon_w-2123_firmware -
intel core_i9-11900kf_firmware -
intel core_i3-1115gre_firmware -
intel xeon_gold_5320t_firmware -
intel core_i7-7820x_firmware -
intel xeon_gold_6210u_firmware -
intel xeon_gold_6240l_firmware -
intel core_i5-10310y_firmware -
intel core_i7-1060g7_firmware -
intel xeon_e-2136_firmware -
intel pentium_gold_g5400t_firmware -
intel xeon_gold_6250l_firmware -
intel core_i7-11375h_firmware -
intel core_i5-8365u_firmware -
intel xeon_e-2276g_firmware -
intel core_i9-10920x_firmware -
intel core_i9-11900h_firmware -
intel core_i3-10100f_firmware -
intel core_i7-8750h_firmware -
intel pentium_gold_g6400_firmware -
netapp all_flash_fabric-attached_storage_a800 -
intel xeon_platinum_8280_firmware -
intel xeon_silver_4214_firmware -
intel core_i3-1005g1_firmware -
intel core_i5-9600_firmware -
intel xeon_platinum_8353h_firmware -
intel core_i5-10500t_firmware -
intel xeon_w-1250p_firmware -
intel xeon_gold_6230n_firmware -
intel core_i3-1115g4_firmware -
intel pentium_gold_g5400_firmware -
intel core_i7-8850h_firmware -
intel core_i5-8600k_firmware -
intel core_i3-1120g4_firmware -
intel core_i7-8705g_firmware -
intel xeon_e-2224_firmware -
intel xeon_platinum_8360hl_firmware -
intel xeon_d-2183it_firmware -
intel xeon_gold_6230_firmware -
debian debian_linux 11.0
intel core_i5-10600t_firmware -
intel core_i3-7310t_firmware -
intel core_i9-10900kf_firmware -
intel pentium_gold_g6505_firmware -
intel core_i7-1185g7e_firmware -
intel core_i9-7920x_firmware -
intel core_i9-10980xe_firmware -
intel core_i5-8600t_firmware -
intel xeon_gold_5220t_firmware -
intel xeon_d-2187nt_firmware -
intel core_i3-8100h_firmware -
intel core_i9-7980xe_firmware -
intel core_i7-10510y_firmware -
intel xeon_e-2278gel_firmware -
intel core_i5-8200y_firmware -
intel core_i5-8310y_firmware -
intel core_i3-1000g1_firmware -
intel core_i5-11500t_firmware -
intel core_i5-8600_firmware -
intel xeon_e3-1535m_v6_firmware -
intel pentium_gold_g6500t_firmware -
intel xeon_gold_6240y_firmware -
intel core_i5-8500b_firmware -
intel core_i5-10600kf_firmware -
intel core_i5-11600_firmware -
intel xeon_d-2123it_firmware -
intel core_i5-9500f_firmware -
intel xeon_w-2255_firmware -
intel core_i7-8565u_firmware -
intel core_i7-7560u_firmware -
intel pentium_gold_g5600_firmware -
intel xeon_e-2356g_firmware -
intel core_i7-8700k_firmware -
intel core_i9-10940x_firmware -
intel xeon_e-2226ge_firmware -
intel xeon_e-2224g_firmware -
intel xeon_e3-1280_v6_firmware -
intel core_i5-10300h_firmware -
intel core_i3-9100_firmware -
intel core_i7-8650u_firmware -
intel xeon_bronze_3204_firmware -
intel xeon_w-2195_firmware -
intel xeon_w-1250_firmware -
intel core_i7-11850h_firmware -
intel xeon_w-11865mre_firmware -
intel xeon_platinum_8360h_firmware -
intel xeon_d-1732te_firmware -
intel celeron_g4900t_firmware -
intel core_i3-7101e_firmware -
intel xeon_platinum_8256_firmware -
intel xeon_gold_6242_firmware -
intel core_i5-10400t_firmware -
intel xeon_gold_5217_firmware -
intel xeon_gold_6242r_firmware -
intel core_i5-7300u_firmware -
intel xeon_e-2244g_firmware -
intel xeon_gold_6209u_firmware -
intel core_i7-10700k_firmware -
intel core_i9-10900t_firmware -
intel xeon_platinum_8270_firmware -
intel xeon_d-2163it_firmware -
intel pentium_gold_6405u_firmware -
intel core_i3-7340_firmware -
intel core_i5-8260u_firmware -
intel xeon_w-2265_firmware -
intel xeon_silver_4316_firmware -
intel core_i3-8109u_firmware -
intel core_i9-7960x_firmware -
intel core_i7-10810u_firmware -
intel xeon_d-2161i_firmware -
intel core_i7-9800x_firmware -
intel xeon_gold_6336y_firmware -
intel xeon_e-2286g_firmware -
intel xeon_w-11865mle_firmware -
intel core_i9-9940x_firmware -
intel core_i3-7020u_firmware -
intel xeon_silver_4310_firmware -
intel core_i7-8809g_firmware -
intel core_i3-8145u_firmware -
intel xeon_e-2278ge_firmware -
intel xeon_d-2752ter_firmware -
intel core_i7-10850h_firmware -
intel core_i5-7500t_firmware -
netapp all_flash_fabric-attached_storage_8300 -
intel core_i3-10300_firmware -
intel core_i7-8709g_firmware -
intel xeon_platinum_9242_firmware -
intel core_i5-8350u_firmware -
intel xeon_silver_4208_firmware -
intel core_i5-1145gre_firmware -
intel xeon_e3-1501l_v6_firmware -
intel core_i9-9920x_firmware -
intel core_i7-1185gre_firmware -
intel core_i3-8100t_firmware -
intel xeon_w-1290t_firmware -
intel xeon_d-1735tr_firmware -
intel core_i5-1030g4_firmware -
intel xeon_silver_4210t_firmware -
intel xeon_platinum_8380h_firmware -
intel core_i7-9700_firmware -
intel xeon_w-1390t_firmware -
intel core_i3-9320_firmware -
intel core_m3-8100y_firmware -
intel xeon_silver_4314_firmware -
intel xeon_e-2374g_firmware -
intel xeon_gold_6234_firmware -
intel core_i7-8700b_firmware -
intel core_i3-10305_firmware -
intel core_i7-11800h_firmware -
intel core_i7-10870h_firmware -
intel core_i5-11500_firmware -
intel core_i5-7600_firmware -
intel core_i5-8269u_firmware -
intel core_i7-11700t_firmware -
intel xeon_gold_5318y_firmware -
intel xeon_gold_6262v_firmware -
intel xeon_silver_4214y_firmware -
intel core_i9-9900x_firmware -
intel xeon_e-2236_firmware -
intel core_i7-9700kf_firmware -
intel celeron_g4920_firmware -
intel xeon_gold_6326_firmware -
intel core_i5-8265u_firmware -
intel xeon_platinum_8276l_firmware -
intel xeon_e3-1501m_v6_firmware -
intel xeon_gold_6252_firmware -
intel xeon_gold_6208u_firmware -
intel core_i3-8350k_firmware -
intel core_i5-10200h_firmware -
intel core_i7-11700_firmware -
intel core_i3-10105f_firmware -
intel core_i3-7320_firmware -
intel xeon_w-2235_firmware -
intel xeon_w-1350p_firmware -
intel core_i3-8300_firmware -
intel core_i7-7800x_firmware -
intel core_i3-7120_firmware -
intel xeon_e-2274g_firmware -
intel xeon_platinum_8376hl_firmware -
intel core_i3-10110y_firmware -
intel core_i9-10900k_firmware -
intel core_i5-7260u_firmware -
intel xeon_d-2173it_firmware -
intel core_i3-7167u_firmware -
intel core_i3-9350kf_firmware -
intel xeon_gold_6348h_firmware -
intel core_i9-11900_firmware -
intel core_i5-9400t_firmware -
intel core_i7-10610u_firmware -
intel xeon_gold_6238t_firmware -
intel core_i3-7100u_firmware -
intel core_i5-7500_firmware -
intel xeon_gold_6246_firmware -
intel core_i9-10900f_firmware -
intel core_i3-11100he_firmware -
intel core_i3-10305t_firmware -
intel core_i9-10900_firmware -
intel core_i7-10700f_firmware -
intel xeon_gold_6246r_firmware -
intel core_i5-8400b_firmware -
intel celeron_g5905t_firmware -
intel core_i7-7700t_firmware -
redhat enterprise_linux 7.0
intel xeon_gold_6256_firmware -
intel core_i5-8500t_firmware -
intel core_i5-1035g7_firmware -
intel xeon_platinum_8356h_firmware -
intel core_i3-7300t_firmware -
intel core_i9-10980hk_firmware -
intel core_i3-9350k_firmware -
intel xeon_silver_4214r_firmware -
intel xeon_w-3275_firmware -
intel xeon_w-11555mle_firmware -
intel core_i5-10210y_firmware -
intel xeon_gold_5218_firmware -
intel xeon_e-2144g_firmware -
intel core_i5-10600k_firmware -
intel xeon_w-2225_firmware -
intel xeon_e-2334_firmware -
intel core_i9-9900k_firmware -
intel xeon_gold_5215_firmware -
intel core_i5-7267u_firmware -
intel core_i7-1195g7_firmware -
intel xeon_gold_6252n_firmware -
intel core_i7-11390h_firmware -
intel xeon_e-2336_firmware -
intel xeon_w-10855m_firmware -
intel xeon_d-2177nt_firmware -
intel core_i3-1110g4_firmware -
intel xeon_e3-1270_v6_firmware -
intel core_i5-10500h_firmware -
intel core_i7-10510u_firmware -
intel core_i5-11400f_firmware -
intel core_i5-11400h_firmware -
intel core_i5-1140g7_firmware -
intel core_i7-10700t_firmware -
intel xeon_w-3223_firmware -
intel core_i9-9900t_firmware -
intel core_i5-7640x_firmware -
intel core_i7-8086k_firmware -
intel xeon_d-2146nt_firmware -
intel xeon_e3-1240_v6_firmware -
intel xeon_w-2223_firmware -
intel xeon_gold_5218b_firmware -
intel pentium_gold_g6605_firmware -
intel core_i5-8400_firmware -
intel core_i7-7820eq_firmware -
intel xeon_e-2124_firmware -
intel xeon_w-1390_firmware -
intel core_i9-9980xe_firmware -
netapp all_flash_fabric-attached_storage_8700 -
intel xeon_gold_6328h_firmware -
intel core_i3-8130u_firmware -
intel xeon_e3-1220_v6_firmware -
intel xeon_platinum_8376h_firmware -
intel core_i7-10700kf_firmware -
intel core_i7-7740x_firmware -
intel pentium_gold_g6600_firmware -
intel xeon_gold_6254_firmware -
intel xeon_gold_6238l_firmware -
intel core_i5-8257u_firmware -
intel xeon_w-1370p_firmware -
intel core_i3-7102e_firmware -
intel core_i7-11600h_firmware -
intel core_i5-7400t_firmware -
intel core_i3-10105t_firmware -
intel xeon_e3-1285_v6_firmware -
netapp all_flash_fabric-attached_storage_a400 -
intel core_i5-8210y_firmware -
intel xeon_platinum_8354h_firmware -
intel xeon_e3-1230_v6_firmware -
intel xeon_gold_5220s_firmware -
intel core_i5-10500_firmware -
intel xeon_w-2133_firmware -
intel core_i5-10400h_firmware -
intel xeon_w-2295_firmware -
intel core_i5-9500t_firmware -
intel xeon_gold_6330h_firmware -
netapp all_flash_fabric-attached_storage_c250 *
intel core_i5-11400t_firmware -
intel xeon_w-1390p_firmware -
intel xeon_gold_6238r_firmware -
intel microcode *
intel xeon_e-2288g_firmware -
intel xeon_e-2234_firmware -
intel core_i3-8100b_firmware -
intel celeron_g5925_firmware -
intel core_i5-11500he_firmware -
redhat enterprise_linux 8.0
intel core_i7-1180g7_firmware -
intel pentium_gold_g5500_firmware -
intel xeon_platinum_8260y_firmware -
intel xeon_w-3245m_firmware -
intel xeon_w-3275m_firmware -
intel xeon_e-2246g_firmware -
intel core_i5-8250u_firmware -
intel xeon_w-11155mre_firmware -
intel pentium_gold_g6400t_firmware -
intel xeon_gold_6230t_firmware -
intel xeon_e-2174g_firmware -
intel core_i9-10850k_firmware -
intel core_i5-7600t_firmware -
netapp all_flash_fabric-attached_storage_c400 -
debian debian_linux 10.0
intel xeon_gold_5315y_firmware -
intel xeon_w-3245_firmware -
intel xeon_d-2733nt_firmware -
intel core_i7-7700k_firmware -
xen xen -
intel core_i3-8300t_firmware -
intel core_i5-9500_firmware -
intel core_i3-10320_firmware -
intel core_i5-10505_firmware -
intel core_i7-1068g7_firmware -
intel xeon_silver_4215_firmware -
intel core_i9-9900ks_firmware -
intel core_i3-10100t_firmware -
intel xeon_gold_5220r_firmware -
intel core_i5-7442eq_firmware -
intel xeon_w-3265m_firmware -
intel core_i7-9700f_firmware -
intel xeon_d-2145nt_firmware -
intel xeon_silver_4310t_firmware -
intel xeon_d-1715ter_firmware -
intel core_i5-10400_firmware -
intel xeon_gold_6226r_firmware -
intel core_i5-11400_firmware -
intel core_i9-7900x_firmware -
intel xeon_gold_6330_firmware -
intel core_i7-8559u_firmware -
intel xeon_e-2104g_firmware -
intel xeon_gold_6240_firmware -
intel core_i3-9300_firmware -
intel core_i7-10710u_firmware -
intel core_i7-10875h_firmware -
intel core_i5-1145g7_firmware -
netapp all_flash_fabric-attached_storage_2820 -
intel core_i9-9820x_firmware -
intel xeon_gold_5317_firmware -
intel core_i5-1035g4_firmware -
intel core_i5-10310u_firmware -
intel xeon_gold_6248r_firmware -
intel xeon_e3-1505m_v6_firmware -
intel xeon_d-2166nt_firmware -
intel core_i5-9600k_firmware -
intel core_i7-7567u_firmware -
intel core_i7-9700k_firmware -
intel xeon_e-2134_firmware -
redhat enterprise_linux 6.0
intel celeron_5305u_firmware -
intel core_i5-7440eq_firmware -
intel core_i7-10700_firmware -
intel pentium_6405u_firmware -
intel core_i3-1000g4_firmware -
intel celeron_5205u_firmware -
intel xeon_gold_6244_firmware -
intel core_i9-9960x_firmware -
intel xeon_w-2125_firmware -
intel xeon_d-1712tr_firmware -
intel core_i3-9100f_firmware -
intel xeon_d-2712t_firmware -
intel xeon_d-2142it_firmware -
intel core_i3-1125g4_firmware -
intel xeon_gold_6248_firmware -
intel xeon_w-2175_firmware -
intel core_i7-8557u_firmware -
intel core_i7-11700kf_firmware -
intel pentium_gold_g6405_firmware -
intel core_i5-11300h_firmware -
intel core_i5-1035g1_firmware -
intel core_i9-11900f_firmware -
intel core_i5-1135g7_firmware -
intel xeon_w-1270p_firmware -
intel xeon_w-1370_firmware -
intel core_i9-9900_firmware -
intel core_i5-10400f_firmware -
intel core_i7-1165g7_firmware -
intel xeon_gold_6250_firmware -
intel core_i7-1185g7_firmware -
intel core_i5-1155g7_firmware -
intel core_i3-10100y_firmware -
netapp all_flash_fabric-attached_storage_c800 -
intel xeon_d-2141i_firmware -
intel core_i9-11950h_firmware -
intel xeon_gold_6258r_firmware -
intel xeon_gold_5222_firmware -
intel core_i9-8950hk_firmware -
intel core_i5-8400t_firmware -
intel xeon_w-2145_firmware -
intel xeon_gold_6328hl_firmware -
intel xeon_e-2176g_firmware -
intel core_i5-8279u_firmware -
intel core_i3-7100_firmware -
intel core_i5-11600kf_firmware -
intel xeon_silver_4216_firmware -
intel xeon_w-2155_firmware -
intel core_i7-11700k_firmware -
intel xeon_d-1746ter_firmware -
intel xeon_e3-1225_v6_firmware -
intel xeon_platinum_8268_firmware -
intel core_i3-7101te_firmware -
intel xeon_w-1270_firmware -
intel core_i7-1065g7_firmware -
intel core_i5-9600t_firmware -
intel core_i5-10210u_firmware -
intel xeon_e-2386g_firmware -
intel xeon_w-3225_firmware -
intel xeon_w-11555mre_firmware -
intel core_i7-11850he_firmware -
netapp all_flash_fabric-attached_storage_a250 *
intel core_i7-8665u_firmware -
intel xeon_gold_5218n_firmware -
intel xeon_gold_5220_firmware -
intel xeon_gold_6212u_firmware -
intel xeon_gold_6222v_firmware -
intel xeon_w-3265_firmware -
intel core_i3-9100t_firmware -
intel core_i5-9400_firmware -
intel core_i7-10750h_firmware -
intel core_i9-9900kf_firmware -
intel xeon_gold_5218t_firmware -
intel xeon_d-2775te_firmware -
intel core_i3-7100t_firmware -
netapp all_flash_fabric-attached_storage_a900 -
netapp all_flash_fabric-attached_storage_500f *
intel core_i7-11700f_firmware -
redhat enterprise_linux 9.0
intel xeon_silver_4210_firmware -
intel core_i3-10100_firmware -
intel xeon_platinum_9282_firmware -
intel core_i7-9700t_firmware -
intel xeon_gold_6226_firmware -
intel core_i5-7287u_firmware -
intel core_i7-8706g_firmware -
intel xeon_w-2275_firmware -
intel xeon_gold_6338t_firmware -
intel xeon_w-1290_firmware -
intel xeon_e-2388g_firmware -
intel core_i7-8700_firmware -
intel celeron_g5920_firmware -
intel core_i5-8300h_firmware -
intel core_i5-7400_firmware -
intel xeon_platinum_8276_firmware -
intel celeron_g5905_firmware -
intel xeon_platinum_8380hl_firmware -
intel xeon_w-3235_firmware -
intel core_i3-8100f_firmware -
intel xeon_platinum_8260_firmware -
intel xeon_w-10885m_firmware -
intel core_i7-8550u_firmware -
intel core_i7-8500y_firmware -
intel core_i5-8400h_firmware -
intel core_i5-1145g7e_firmware -
intel xeon_w-1350_firmware -
intel xeon_w-11155mle_firmware -
intel xeon_e-2278g_firmware -
intel xeon_platinum_8260l_firmware -
intel core_i3-7350k_firmware -
intel xeon_silver_4210r_firmware -
intel xeon_e-2146g_firmware -
intel core_i9-9990xe_firmware -
intel xeon_platinum_9221_firmware -
intel xeon_w-1290p_firmware -
intel xeon_gold_5218r_firmware -
intel core_i5-11600t_firmware -
intel xeon_e-2378g_firmware -
intel celeron_g5900t_firmware -
intel core_i5-8259u_firmware -
intel xeon_e3-1275_v6_firmware -
intel xeon_e-2186g_firmware -
intel pentium_gold_g6500_firmware -
intel core_i7-7700_firmware -
intel core_i3-10110u_firmware -
intel xeon_d-2796te_firmware -
intel core_i3-7100e_firmware -
intel xeon_gold_5318h_firmware -
intel xeon_gold_5320h_firmware -
intel xeon_gold_6238_firmware -
debian debian_linux 12.0
intel core_i5-7600k_firmware -
intel xeon_e-2314_firmware -
intel core_i5-9600kf_firmware -
intel core_i3-1115g4e_firmware -
intel xeon_e-2124g_firmware -
intel core_i3-7300_firmware -
intel core_i9-11900k_firmware -
intel pentium_gold_g5500t_firmware -
intel core_i3-7320t_firmware -
intel core_i7-11370h_firmware -
intel core_i3-7120t_firmware -
intel xeon_w-2135_firmware -
intel core_i5-8305g_firmware -
intel core_i7-7660u_firmware -
intel xeon_e3-1505l_v6_firmware -
intel xeon_silver_4215r_firmware -
intel core_i3-10300t_firmware -
intel core_i5-11260h_firmware -
intel xeon_e-2226g_firmware -
intel core_i5-8500_firmware -
intel pentium_gold_g6505t_firmware -
intel core_i7-7600u_firmware -
intel core_i9-7940x_firmware -
intel xeon_platinum_9222_firmware -
intel core_i3-8100_firmware -
intel core_i3-9300t_firmware -
intel core_i7-1160g7_firmware -
intel core_i9-11980hk_firmware -
intel core_i5-1130g7_firmware -
intel core_i9-10885h_firmware -
intel xeon_bronze_3206r_firmware -
CVE-2022-42309

Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42310

Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-42311

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42312

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42313

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42314

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42315

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42316

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42317

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42318

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42319

Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-42320

Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42321

Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42322

Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42323

Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
debian debian_linux 11.0
xen xen -
fedoraproject fedora 35
CVE-2022-42324

Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder. This in turn can feed a negative value into logic not expecting a negative value, resulting in unexpected exceptions being thrown. The unexpected exception is not handled suitably, creating a busy-loop trying (and failing) to take the bad packet out of the xenstore ring.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-42325

Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-42326

Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen *
debian debian_linux 11.0
fedoraproject fedora 35
CVE-2022-42327

x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 36
xen xen 4.16
CVE-2022-42330

Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XS_RELEASE will have the same impact.

Products Affected

Vendor Product Version
xen xen 4.17.0
CVE-2022-42331

x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
fedoraproject fedora 37
xen xen *
fedoraproject fedora 38
CVE-2022-42332

x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 37
xen xen *
debian debian_linux 11.0
fedoraproject fedora 38
CVE-2022-42333

x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
fedoraproject fedora 37
xen xen *
debian debian_linux 11.0
fedoraproject fedora 38
CVE-2022-42334

x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H 2.0 4.0

Products Affected

Vendor Product Version
fedoraproject fedora 37
xen xen *
debian debian_linux 11.0
fedoraproject fedora 38
CVE-2022-42335

x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control.

Products Affected

Vendor Product Version
xen xen 4.17.0
fedoraproject fedora 38
CVE-2022-42336

Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active.

Products Affected

Vendor Product Version
xen xen 4.17
CVE-2022-4949

The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
adsanityplugin adsanity *
xen xen -
CVE-2023-20588

A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. 

Products Affected

Vendor Product Version
fedoraproject fedora 39
amd epyc_7551p_firmware -
amd athlon_pro_300ge_firmware -
debian debian_linux 10.0
amd athlon_gold_3150g_firmware -
xen xen -
amd epyc_7401_firmware -
microsoft windows_server_2008 r2
amd athlon_silver_pro_3125ge_firmware -
amd ryzen_5_pro_3350g_firmware -
amd epyc_7501_firmware -
microsoft windows_11_23h2 *
microsoft windows_server_2008 -
amd ryzen_5_pro_3400ge_firmware -
amd epyc_7551_firmware -
amd ryzen_5_pro_3400g_firmware -
amd epyc_7451_firmware -
microsoft windows_10_22h2 *
amd athlon_silver_3050ge_firmware -
amd ryzen_5_3400g_firmware -
microsoft windows_10_1809 *
microsoft windows_server_2016 *
microsoft windows_server_2019 *
amd epyc_7571_firmware -
amd epyc_7281_firmware -
amd ryzen_5_pro_3350ge_firmware -
amd ryzen_3_pro_3200ge_firmware -
amd epyc_7351p_firmware -
microsoft windows_11_22h2 *
amd epyc_7301_firmware -
microsoft windows_10_1607 *
amd epyc_7601_firmware -
amd epyc_7351_firmware -
amd epyc_7261_firmware -
microsoft windows_server_2022_23h2 *
amd ryzen_3_3200ge_firmware -
amd athlon_gold_pro_3150g_firmware -
fedoraproject fedora 37
debian debian_linux 12.0
microsoft windows_10_1507 *
amd ryzen_3_pro_3200g_firmware -
amd athlon_gold_pro_3150ge_firmware -
microsoft windows_server_2012 -
microsoft windows_10_21h2 *
fedoraproject fedora 38
amd athlon_gold_3150ge_firmware -
amd epyc_7251_firmware -
amd epyc_7371_firmware -
microsoft windows_11_21h2 *
amd epyc_7401p_firmware -
debian debian_linux 11.0
amd ryzen_3_3200g_firmware -
microsoft windows_server_2012 r2
CVE-2023-20593

An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.

Products Affected

Vendor Product Version
amd ryzen_3_pro_4450u_firmware -
amd ryzen_5_3600xt_firmware -
amd ryzen_5_5500u_firmware -
amd epyc_7252_firmware -
amd ryzen_5_3500_firmware -
amd ryzen_7_5700u_firmware -
amd epyc_7282_firmware -
amd ryzen_3_7320u_firmware -
debian debian_linux 10.0
amd epyc_7402p_firmware -
amd epyc_7f32_firmware -
amd epyc_7702_firmware -
amd ryzen_7_3800xt_firmware -
amd epyc_7642_firmware -
amd ryzen_5_pro_4650g_firmware -
amd ryzen_3_pro_4200g_firmware -
amd ryzen_threadripper_pro_3955wx_firmware -
amd ryzen_5_3600x_firmware -
amd epyc_7f72_firmware -
amd ryzen_3_4300g_firmware -
amd epyc_7402_firmware -
amd ryzen_threadripper_pro_3995wx_firmware -
amd ryzen_5_4600g_firmware -
amd ryzen_9_3900xt_firmware -
amd ryzen_7_pro_4750u_firmware -
amd ryzen_threadripper_3960x_firmware -
amd ryzen_9_pro_3900_firmware -
amd ryzen_3_3300x_firmware -
amd epyc_7232p_firmware -
amd epyc_7272_firmware -
amd epyc_7h12_firmware -
xen xen 4.15.0
amd ryzen_5_3500x_firmware -
xen xen 4.14.0
amd epyc_7302p_firmware -
amd ryzen_3_pro_4350ge_firmware -
amd ryzen_7_3700x_firmware -
amd athlon_gold_7220u_firmware -
amd ryzen_5_4600ge_firmware -
amd epyc_7702p_firmware -
debian debian_linux 12.0
amd epyc_7542_firmware -
amd epyc_7662_firmware -
amd epyc_7302_firmware -
amd ryzen_threadripper_pro_3945wx_firmware -
amd epyc_7502p_firmware -
xen xen 4.16.0
amd ryzen_7_4700ge_firmware -
amd epyc_7742_firmware -
amd ryzen_3_pro_4350g_firmware -
amd ryzen_3_4300ge_firmware -
amd ryzen_threadripper_pro_3975wx_firmware -
amd ryzen_7_pro_4750g_firmware -
amd ryzen_5_7520u_firmware -
amd ryzen_3_3100_firmware -
amd epyc_7552_firmware -
amd ryzen_9_3900_firmware -
amd ryzen_5_3600_firmware -
amd ryzen_threadripper_3990x_firmware -
amd epyc_7352_firmware -
amd ryzen_3_5300u_firmware -
amd ryzen_5_pro_4650ge_firmware -
amd ryzen_7_3800x_firmware -
amd epyc_7262_firmware -
amd epyc_7532_firmware -
amd epyc_7f52_firmware -
amd ryzen_9_3900x_firmware -
xen xen 4.17.0
amd epyc_7502_firmware -
amd ryzen_5_pro_4400g_firmware -
debian debian_linux 11.0
amd ryzen_threadripper_3970x_firmware -
amd ryzen_7_4700g_firmware -
amd ryzen_9_3950x_firmware -
amd ryzen_7_pro_4750ge_firmware -
amd epyc_7452_firmware -
CVE-2023-34319

The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
linux linux_kernel *
debian debian_linux 10.0
xen xen *
CVE-2023-34320

Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
arm cortex-a77_firmware r0p0
arm cortex-a77_firmware r1p0
xen xen *
CVE-2023-34321

Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
xen xen *
CVE-2023-34322

For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
xen xen *
CVE-2023-34323

When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2023-34324

Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
linux linux_kernel *
xen xen -
CVE-2023-34325

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. CVE-2023-4949 refers to the original issue in the upstream grub project ("An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.") CVE-2023-34325 refers specifically to the vulnerabilities in Xen's copy of libfsimage, which is decended from a very old version of grub.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
xen xen *
CVE-2023-34326

The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
xen xen *
CVE-2023-34327

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2023-34328

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2023-46835

The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2023-46836

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.0 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2023-46837

Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-437, but the approach was not sufficient.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
xen xen *
CVE-2023-46839

PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain.

Products Affected

Vendor Product Version
fedoraproject fedora 39
xen xen *
CVE-2023-46840

Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen.

Products Affected

Vendor Product Version
fedoraproject fedora 39
xen xen *
CVE-2023-46841

Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing.

Products Affected

Vendor Product Version
fedoraproject fedora 40
xen xen *
CVE-2023-46842

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash.

Products Affected

Vendor Product Version
fedoraproject fedora 40
xen xen *
fedoraproject fedora 38
CVE-2023-4949

An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 8.1 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H 1.5 6.0
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
gnu grub *
xen xen -
CVE-2024-31142

Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html

Products Affected

Vendor Product Version
fedoraproject fedora 40
xen xen *
fedoraproject fedora 38
CVE-2024-31143

An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held.

Products Affected

Vendor Product Version
xen xen *
CVE-2024-31144

For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories (SRs). The metadata itself is stored in a Virtual Disk Image (VDI) inside an SR. This is used for two purposes; a general backup of metadata (e.g. to recover from a host failure if the filer is still good), and Portable SRs (e.g. using an external hard drive to move VMs to another host). Metadata is only restored as an explicit administrator action, but occurs in cases where the host has no information about the SR, and must locate the metadata VDI in order to retrieve the metadata. The metadata VDI is located by searching (in UUID alphanumeric order) each VDI, mounting it, and seeing if there is a suitable metadata file present. The first matching VDI is deemed to be the metadata VDI, and is restored from. In the general case, the content of VDIs are controlled by the VM owner, and should not be trusted by the host administrator. A malicious guest can manipulate its disk to appear to be a metadata backup. A guest cannot choose the UUIDs of its VDIs, but a guest with one disk has a 50% chance of sorting ahead of the legitimate metadata backup. A guest with two disks has a 75% chance, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 3.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 2.0 1.4

Products Affected

Vendor Product Version
xen xapi *
CVE-2024-31145

Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

Products Affected

Vendor Product Version
xen xen *
CVE-2024-31146

When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

Products Affected

Vendor Product Version
xen xen -
CVE-2024-45817

In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock.

Products Affected

Vendor Product Version
xen xen *
CVE-2024-45818

The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memory (plus some further constraints which aren't relevant here). When emulating the 2nd access, the lock that is already being held would be attempted to be re-acquired, resulting in a deadlock. This deadlock was already found when the code was first introduced, but was analysed incorrectly and the fix was incomplete. Analysis in light of the new finding cannot find a way to make the existing locking discipline work. In staging, this logic has all been removed because it was discovered to be accidentally disabled since Xen 4.7. Therefore, we are fixing the locking problem by backporting the removal of most of the feature. Note that even with the feature disabled, the lock would still be acquired for any accesses to the VGA MMIO region.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

Products Affected

Vendor Product Version
xen xen *
CVE-2024-45819

PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-1713

When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-27465

Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead.

Products Affected

Vendor Product Version
xen xen *
CVE-2025-27466

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58142

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58143

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58144

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58145

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58147

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58148

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58149

When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
xen xen *
CVE-2025-58150

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
xen xen -
CVE-2026-23553

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 2.9 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 1.4 1.4

Products Affected

Vendor Product Version
xen xen *