Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 3.2.0 |
| xen | xen | 3.2.3 |
| xen | xen | * |
| xen | xen | 3.1.3 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.0.2 |
| xen | xen | 3.0.4 |
Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| qemu | qemu | 0.15.0 |
| xen | xen | - |
| redhat | enterprise_linux | 5 |
| qemu | qemu | * |
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.0.1 |
| microsoft | windows_server_2008 | r2 |
| microsoft | windows_7 | * |
| joyent | smartos | * |
| xen | xen | 4.0.4 |
| illumos | illumos | * |
| sun | sunos | * |
| freebsd | freebsd | * |
| citrix | xenserver | 6.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| microsoft | windows_xp | * |
| xen | xen | * |
| netbsd | netbsd | * |
| citrix | xenserver | * |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| microsoft | windows_server_2003 | * |
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | virtualization | 5.0 |
| opensuse | opensuse | 11.4 |
| canonical | ubuntu_linux | 12.04 |
| suse | linux_enterprise_server | 10 |
| redhat | enterprise_linux_workstation | 5.0 |
| redhat | enterprise_linux_server | 5.0 |
| qemu | qemu | * |
| suse | linux_enterprise_desktop | 10 |
| redhat | enterprise_linux_workstation | 6.0 |
| suse | linux_enterprise_server | 11 |
| redhat | virtualization | 6.0 |
| xen | xen | 4.1.0 |
| opensuse | opensuse | 12.1 |
| suse | linux_enterprise_software_development_kit | 11 |
| redhat | enterprise_linux_desktop | 6.0 |
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 12.2 |
| debian | debian_linux | 6.0 |
| suse | linux_enterprise_desktop | 11 |
| redhat | enterprise_linux_desktop | 5.0 |
| redhat | enterprise_linux_eus | 6.3 |
| canonical | ubuntu_linux | 11.04 |
| xen | xen | 4.0.0 |
| canonical | ubuntu_linux | 10.04 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | virtualization | 3.0 |
| canonical | ubuntu_linux | 11.10 |
| suse | linux_enterprise_software_development_kit | 10 |
The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor. NOTE: this might be a duplicate of CVE-2007-0998.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.1.1 |
| xen | xen | * |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 3.0.2 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.0.4 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.1.2 |
The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.0.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x86_32 platform does not prevent HVM_PARAM_NESTEDHVM (aka nested virtualization) operations, which allows guest OS users to cause a denial of service (long-duration page mappings and host OS crash) by leveraging administrative access to an HVM guest in a domain with a large number of VCPUs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.2.0 |
Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.0 |
The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.1 |
| xen | xen | 4.1.4 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.2 |
The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.0 |
oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly consider the state of the Xenstore ring during read operations, which allows guest OS users to cause a denial of service (daemon crash and host-control outage, or memory consumption) or obtain sensitive control-plane data by leveraging guest administrative access.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.1 |
| xen | xen | 4.1.4 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.2 |
The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 3.2.0 |
| linux | linux_kernel | 2.6.18 |
| xen | xen | 3.2.3 |
| xen | xen | 3.1.3 |
| xen | xen | 3.1.4 |
| linux | linux_kernel | 3.8 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.0.2 |
| xen | xen | 3.0.4 |
Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possibly gain privileges via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.1 |
| xen | xen | 4.1.4 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.1.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.2 |
Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.1.4 |
| xen | xen | 3.2.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.1 |
| xen | xen | 4.1.4 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.1.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.2 |
Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.1 |
| xen | xen | 4.1.4 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.1.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.2 |
Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 3.0.2 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.0.4 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.1.2 |
qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest administrators to cause a denial of service (host crash), obtain sensitive information, or possibly have other impacts via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.1 |
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
| xen | xen | 4.0.0 |
Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of the state of floating point instructions of other domains, which can be leveraged to obtain sensitive information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users to cause a denial of service (hypervisor crash) via certain bit combinations to the XSETBV instruction.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | * |
| xen | xen | 4.2.0 |
The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "pointer dereferences" involving unexpected calculations.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | * |
| xen | xen | 4.2.0 |
Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | * |
| xen | xen | 4.2.0 |
The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.4.0 |
| xen | xen | 4.1.5 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x allows local guests to cause a denial of service (kernel panic) via a malformed Message Signaled Interrupt (MSI) from a PCI device that is bus mastering capable that triggers a System Error Reporting (SERR) Non-Maskable Interrupt (NMI).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | * |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 3.0.2 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.0.4 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when live migration is performed on hosts with more than 5TB of RAM, which allows local 64-bit PV guests to read or write to invalid memory and cause a denial of service (crash).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.3.0 |
The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.4.0 |
| xen | xen | 4.1.5 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.2 |
The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | * |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 3.0.2 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.0.4 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL pointer dereference) by using the "@" character as the VIF rate configuration.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.2.3 |
| qemu | qemu | 1.1 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, and 4.3.x allows local guest domains to cause a denial of service (domain shutdown) via a large message reply.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| xen | xen | * |
Xen 4.2.x and 4.3.x, when nested virtualization is disabled, does not properly check the emulation paths for (1) VMLAUNCH and (2) VMRESUME, which allows local HVM guest users to cause a denial of service (host crash) via unspecified vectors related to "guest VMX instruction execution."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 3.4.0 |
| xen | xen | 4.1.5 |
| xen | xen | 3.4.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 3.4.2 |
| xen | xen | 4.3.1 |
| xen | xen | 3.4.3 |
| xen | xen | 4.2.3 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.0.4 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an "inverted boolean parameter."
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.2 |
Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.3.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3) FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations in the flask hypercall in Xen 4.3.x, 4.2.x, 4.1.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1892, CVE-2014-1893, and CVE-2014-1894.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | * |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.1.6.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory allocation," a different vulnerability than CVE-2014-1891, CVE-2014-1893, and CVE-2014-1894.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 3.4.0 |
| xen | xen | 4.1.5 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1894.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.1.1 |
| xen | xen | * |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.1.2 |
Multiple integer overflows in unspecified suboperations in the flask hypercall in Xen 3.2.x and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1893.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 3.2.0 |
| xen | xen | * |
| xen | xen | 3.1.3 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.0.2 |
| xen | xen | 3.0.4 |
Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause a denial of service or possibly gain privileges via crafted xenstore ring indexes, which triggers a "read or write past the end of the ring."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | - |
The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service domains for HVM guests and a large input.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Xen 4.4.x, when running on ARM systems, does not properly restrict access to hardware features, which allows local guest users to cause a denial of service (host or guest crash) via unspecified vectors, related to (1) cache control, (2) coprocessors, (3) debug registers, and (4) other unspecified registers.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
The vgic_distr_mmio_write function in the virtual guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, when running on an ARM system, allows local guest users to cause a denial of service (NULL pointer dereference and host crash) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest users to modify the hardware timers and cause a denial of service (crash) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr.
CVSS 2.0
Severity: LOW
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| redhat | libvirt | * |
The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit ARM guest kernel in an image, which triggers a buffer overflow.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit guest kernel, related to searching for an appended DTB.
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory or cause a denial of service (crash) via a crafted kernel, which triggers a buffer overflow.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| opensuse | opensuse | 12.3 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| opensuse | opensuse | 12.3 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 3.2.3 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 3.2.2 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize the structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (HAP), are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5149.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a different address width, which allows local guest users to cause a denial of service (host crash) via a crafted 32-bit process.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.0 |
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.1 |
| xen | xen | 4.4.0 |
Certain MMU virtualization operations in Xen 4.2.x through 4.4.x, when using shadow pagetables, are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5146.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.1 |
| xen | xen | 4.4.0 |
Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| xen | xen | 4.1.4 |
| opensuse | opensuse | 12.3 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.4.1 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| fedoraproject | fedora | 20 |
| xen | xen | 4.3.1 |
| fedoraproject | fedora | 19 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| fedoraproject | fedora | 19 |
| xen | xen | * |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 3.0.2 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.0.1 |
| opensuse | opensuse | 12.3 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.1.4 |
| xen | xen | 3.0.3 |
| xen | xen | 3.2.1 |
| opensuse | opensuse | 13.1 |
| xen | xen | 3.0.4 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| fedoraproject | fedora | 20 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.3.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.4.1 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.4.1 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 13.2 |
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction.
CVSS 2.0
Severity: LOW
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 13.2 |
| redhat | enterprise_linux | 5.0 |
| xen | xen | 3.2.3 |
| xen | xen | * |
| xen | xen | 4.4.1 |
| xen | xen | 3.2.1 |
| xen | xen | 3.2.2 |
| xen | xen | 4.4.0 |
| opensuse | opensuse | 13.1 |
| redhat | enterprise_linux_desktop | 5.0 |
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | * |
| opensuse | opensuse | 13.1 |
Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | * |
| opensuse | opensuse | 13.1 |
The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running on ARM hardware with general interrupt controller (GIC) version 2, allows local guest users to cause a denial of service (host crash) by writing an invalid value to the GICD.SGIR register.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.5.0 |
Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| xen | xen | 4.4.1 |
| xen | xen | 4.2.5 |
| opensuse | opensuse | 13.1 |
| xen | xen | 4.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 3.4.2 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.3 |
| xen | xen | 3.4.4 |
| xen | xen | 3.4.1 |
The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.0.1 |
| xen | xen | 4.1.3 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| fedoraproject | fedora | 21 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.2.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| fedoraproject | fedora | 22 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| ubuntu | ubuntu | 12.04 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.0.0 |
| linux | linux_kernel | * |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| fedoraproject | fedora | 22 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | * |
| fedoraproject | fedora | 22 |
Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | 4.3.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.3.2 |
The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptible, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | 4.3.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.3.2 |
QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.3.2 |
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | 4.3.1 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 15.04 |
| canonical | ubuntu_linux | 14.10 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| canonical | ubuntu_linux | 14.04 |
Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.1.5 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.4.2 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | linux_enterprise_desktop | 12 |
| xen | xen | 4.4.1 |
| suse | linux_enterprise_software_development_kit | 12 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| fedoraproject | fedora | 22 |
| debian | debian_linux | 7.0 |
| suse | suse_linux_enterprise_software_development_kit | 11.0 |
| xen | xen | 4.2.5 |
| opensuse | opensuse | 13.1 |
| suse | suse_linux_enterprise_server | 11.0 |
| xen | xen | 4.3.2 |
| suse | suse_linux_enterprise_desktop | 11.0 |
| suse | suse_linux_enterprise_server | 12 |
| fedoraproject | fedora | 20 |
| fedoraproject | fedora | 21 |
| xen | xen | 4.4.2 |
| debian | debian_linux | 8.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 4.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | openstack | 5.0 |
| redhat | openstack | 6.0 |
| redhat | enterprise_linux | 7.0 |
| xen | xen | 4.5.0 |
| redhat | enterprise_linux | 5 |
| redhat | openstack | 7.0 |
| qemu | qemu | * |
| redhat | enterprise_virtualization | 3.0 |
Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.2.0 |
The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| xen | xen | 3.1.4 |
| xen | xen | 3.2.1 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | linux_enterprise_desktop | 12 |
| xen | xen | 4.5.1 |
| suse | linux_enterprise_debuginfo | 11 |
| suse | linux_enterprise_software_development_kit | 12 |
| suse | linux_enterprise_desktop | 11 |
| qemu | qemu | * |
| suse | suse_linux_enterprise_server | 12 |
| fedoraproject | fedora | 21 |
| xen | xen | * |
| fedoraproject | fedora | 23 |
| suse | linux_enterprise_server | 11 |
| fedoraproject | fedora | 22 |
| suse | linux_enterprise_software_development_kit | 11 |
The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server_eus_from_rhui | 6.7 |
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.6 |
| redhat | enterprise_linux_compute_node_eus | 7.6 |
| suse | linux_enterprise_server | 10 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_for_scientific_computing | 7.0 |
| redhat | enterprise_linux_compute_node_eus | 7.5 |
| oracle | linux | 7 |
| redhat | enterprise_linux_for_power_big_endian | 7.0 |
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.2 |
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.7 |
| redhat | enterprise_linux_server_tus | 7.6 |
| xen | xen | * |
| suse | linux_enterprise_server | 11 |
| redhat | enterprise_linux_server_aus | 7.6 |
| fedoraproject | fedora | 22 |
| redhat | enterprise_linux_desktop | 6.0 |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.3_ppc64 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.4_ppc64 |
| redhat | enterprise_linux_server_eus | 7.6 |
| arista | eos | 4.13 |
| arista | eos | 4.12 |
| redhat | enterprise_linux_compute_node_eus | 7.7 |
| arista | eos | 4.15 |
| redhat | enterprise_linux_eus_compute_node | 6.7 |
| redhat | enterprise_linux_server_eus | 7.5 |
| fedoraproject | fedora | 21 |
| redhat | enterprise_linux_server_eus | 7.3 |
| redhat | enterprise_linux_compute_node_eus | 7.4 |
| redhat | virtualization | 3.0 |
| redhat | openstack | 6.0 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.2_ppc64 |
| redhat | enterprise_linux_for_power_big_endian_eus | 6.7_ppc64 |
| redhat | enterprise_linux_eus | 6.7 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_server_from_rhui | 6.0 |
| redhat | enterprise_linux_for_scientific_computing | 6.0 |
| arista | eos | 4.14 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_eus | 7.2 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.6_ppc64 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.1_ppc64 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_server_eus | 7.7 |
| redhat | enterprise_linux_server_from_rhui | 7.0 |
| redhat | enterprise_linux_server_tus | 7.7 |
| xen | xen | 4.5.1 |
| suse | linux_enterprise_debuginfo | 11 |
| redhat | enterprise_linux_compute_node_eus | 7.3 |
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.4 |
| redhat | enterprise_linux_server_update_services_for_sap_solutions | 7.3 |
| redhat | enterprise_linux_compute_node_eus | 7.1 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.7_ppc64 |
| redhat | enterprise_linux_compute_node_eus | 7.2 |
| redhat | enterprise_linux_for_power_big_endian | 6.0 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | openstack | 5.0 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.5_ppc64 |
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 21 |
| xen | xen | 4.5.1 |
| xen | xen | * |
| fedoraproject | fedora | 22 |
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| xen | xen | 4.4.1 |
| xen | xen | 4.6.6 |
| xen | xen | 4.5.0 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 4.6.1 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.5.1 |
| canonical | ubuntu_linux | 15.10 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| oracle | vm_virtualbox | * |
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| linux | linux_kernel | * |
| xen | xen | 4.6.2 |
| xen | xen | 4.4.2 |
| xen | xen | 4.6.4 |
| debian | debian_linux | 8.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.5.5 |
The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.5.1 |
| xen | xen | 4.4.0 |
| xen | xen | 4.5.0 |
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.5 | LOW | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 2.1 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| redhat | enterprise_linux | 7.0 |
| qemu | qemu | * |
| arista | eos | 4.14 |
| novell | suse_linux_enterprise_desktop | 12.0 |
| novell | suse_linux_enterprise_server | 12.0 |
| redhat | enterprise_linux | 6.0 |
| fedoraproject | fedora | 22 |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux | 5.0 |
| xen | xen | 4.5.1 |
| arista | eos | 4.13 |
| arista | eos | 4.12 |
| xen | xen | 4.4.3 |
| redhat | openstack | 7.0 |
| novell | suse_linux_enterprise_software_development_kit | 11.0 |
| arista | eos | 4.15 |
| fedoraproject | fedora | 21 |
| novell | suse_linux_enterprise_software_development_kit | 12.0 |
| novell | suse_linux_enterprise_desktop | 11.0 |
| novell | suse_linux_enterprise_server | 11.0 |
| canonical | ubuntu_linux | 15.04 |
| fedoraproject | fedora | 23 |
| redhat | openstack | 5.0 |
| redhat | openstack | 6.0 |
| novell | suse_linux_enterprise_debuginfo | 11.0 |
libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image.
CVSS 2.0
Severity: LOW
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.4.1 |
| xen | xen | 4.2.5 |
| xen | xen | 4.5.0 |
| xen | xen | 4.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.1.2 |
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| qemu | qemu | 2.5.0 |
| xen | xen | * |
| debian | debian_linux | 8.0 |
| qemu | qemu | * |
The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a denial of service (host crash) via a preemptible hypercall to the multicall interface.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.2 |
| xen | xen | 4.5.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.4.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.4.3 |
Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which allows local guests to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op hypercalls, which are not properly handled in the do_physdev_op function in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not properly handled in the do_hvm_op function in arch/arm/hvm.c.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.5.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.6.0 |
| xen | xen | 4.4.0 |
| xen | xen | 4.5.0 |
Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6.x and earlier allows local domains with partial management control to cause a denial of service (host crash) via vectors involving the destruction of a domain and using XENMEM_decrease_reservation to reduce the memory of the domain.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 3.4.2 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.3 |
| xen | xen | 3.4.4 |
| xen | xen | 3.4.1 |
Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c.
CVSS 2.0
Severity: LOW
Problem Type: CWE-19,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure."
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| xen | xen | 4.4.1 |
| oracle | solaris | 11.3 |
| xen | xen | 4.5.0 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 4.6.1 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.5.1 |
| debian | debian_linux | 9.0 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| oracle | vm_virtualbox | * |
| xen | xen | 4.6.5 |
| linux | linux_kernel | * |
| xen | xen | 4.6.2 |
| xen | xen | 4.4.2 |
| xen | xen | 4.6.4 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 15.04 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
Xen 4.6.x and earlier does not properly enforce limits on page order inputs for the (1) XENMEM_increase_reservation, (2) XENMEM_populate_physmap, (3) XENMEM_exchange, and possibly other HYPERVISOR_memory_op suboperations, which allows ARM guest OS administrators to cause a denial of service (CPU consumption, guest reboot, or watchdog timeout and host reboot) and possibly have unspecified other impact via unknown vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-19,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 3.2.1 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 4.1.0 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| novell | suse_linux_enterprise_real_time_extension | 12 |
| xen | xen | - |
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks."
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| canonical | ubuntu_linux | 12.04 |
| xen | xen | 4.1.3 |
| xen | xen | 3.2.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| novell | suse_linux_enterprise_debuginfo | 11 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.2.2 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| debian | debian_linux | 6.0 |
| xen | xen | 4.1.5 |
| xen | xen | 3.1.4 |
| xen | xen | 4.2.5 |
| novell | suse_linux_enterprise_real_time_extension | 11 |
| xen | xen | 3.2.1 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 3.2.0 |
| xen | xen | 3.4.2 |
| xen | xen | 4.1.6 |
| novell | suse_linux_enterprise_real_time_extension | 12 |
| xen | xen | 3.1.3 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | - |
| redhat | enterprise_linux | 5 |
Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a "write path."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.5.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| citrix | xenserver | 6.0 |
| xen | xen | 4.4.2 |
| xen | xen | 4.3.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.3.4 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.6.1 |
The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ).
CVSS 2.0
Severity: LOW
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.6.0 |
Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 6.5 |
VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check.
CVSS 2.0
Severity: LOW
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.7.1 |
| citrix | xenserver | 6.0.2 |
| xen | xen | 4.6.4 |
| citrix | xenserver | 6.2.0 |
| xen | xen | 4.8.0 |
| xen | xen | 4.6.0 |
| citrix | xenserver | 7.0 |
| xen | xen | 4.6.1 |
| citrix | xenserver | 6.5 |
The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.1.6.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 3.4.2 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| citrix | xenserver | * |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| xen | xen | * |
| debian | debian_linux | 8.0 |
| fedoraproject | fedora | 23 |
| oracle | vm_server | 3.4 |
| fedoraproject | fedora | 22 |
VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.6.0 |
| xen | xen | 4.6.1 |
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| xen | xen | 4.0.0 |
The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 23 |
| oracle | vm_server | 3.4 |
| oracle | vm_server | 3.3 |
| fedoraproject | fedora | 22 |
The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 8.0 |
| fedoraproject | fedora | 23 |
| oracle | vm_server | 3.4 |
| oracle | vm_server | 3.3 |
| fedoraproject | fedora | 22 |
Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 24 |
| fedoraproject | fedora | 23 |
| xen | xen | - |
| oracle | vm_server | 3.4 |
| oracle | vm_server | 3.3 |
| fedoraproject | fedora | 22 |
| oracle | vm_server | 3.2 |
Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 16.04 |
| xen | xen | * |
| canonical | ubuntu_linux | 15.10 |
| canonical | ubuntu_linux | 14.04 |
The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| oracle | vm_server | 3.4 |
| oracle | vm_server | 3.3 |
| oracle | vm_server | 3.2 |
The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.5.1 |
| xen | xen | 4.4.1 |
| oracle | vm_server | 3.4 |
| xen | xen | 4.5.0 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.4.2 |
| xen | xen | 4.3.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.3.4 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| oracle | vm_server | 3.3 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.6.1 |
The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore.
CVSS 2.0
Severity: LOW
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 4.1.0 |
| xen | xen | 4.6.1 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (NULL pointer dereference and host OS crash) by creating concurrent domains and holding references to them, related to VMID exhaustion.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.2 |
| xen | xen | 4.5.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.6.1 |
| xen | xen | 4.4.3 |
The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| citrix | xenserver | 6.0 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.1 |
| xen | xen | 4.3.1 |
| citrix | xenserver | 6.2.0 |
| citrix | xenserver | 7.0 |
| xen | xen | 4.1.0 |
| xen | xen | 4.6.1 |
| xen | xen | 4.0.3 |
| xen | xen | 4.0.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.1.5 |
| citrix | xenserver | 6.5.0 |
| xen | xen | 4.0.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 3.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.5.1 |
| xen | xen | 4.5.0 |
| citrix | xenserver | 6.5.0 |
| citrix | xenserver | 6.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.1 |
| citrix | xenserver | 6.2.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| citrix | xenserver | 7.0 |
| xen | xen | 4.6.1 |
The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | - |
Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.5.3 |
Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update.
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.2 |
| xen | xen | 4.4.1 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.4.3 |
Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it.
CVSS 2.0
Severity: LOW
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation.
CVSS 2.0
Severity: LOW
Problem Type: CWE-682,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.7.1 |
| xen | xen | 4.6.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery.
CVSS 2.0
Severity: LOW
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.7.1 |
| xen | xen | 4.6.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.5.0 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 6.5 |
The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 6.5 |
Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| citrix | xenserver | 6.0.2 |
| xen | xen | 4.3.1 |
| citrix | xenserver | 6.2.0 |
| citrix | xenserver | 7.0 |
| xen | xen | 4.3.4 |
| xen | xen | 4.1.0 |
| xen | xen | 4.6.1 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| citrix | xenserver | 6.5 |
| xen | xen | 4.0.1 |
| xen | xen | 4.7.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.4.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.5.5 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 6.5 |
Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.7.1 |
The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.4.3 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| citrix | xenserver | 6.0.2 |
| xen | xen | 4.4.2 |
| xen | xen | 4.6.4 |
| citrix | xenserver | 6.2.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| citrix | xenserver | 7.0 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
| citrix | xenserver | 6.5 |
The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 6.5 |
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.7.1 |
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.7.1 |
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.7.1 |
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.0 |
| xen | xen | 4.7.1 |
CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.3.1 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.0.2 |
| xen | xen | 4.0.3 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 3.4.2 |
| xen | xen | 4.1.6 |
| xen | xen | 4.4.2 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
| xen | xen | 4.5.5 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The grant-table feature in Xen through 4.8.x provides false mapping information in certain cases of concurrent unmap calls, which allows backend attackers to obtain sensitive information or gain privileges, aka XSA-218 bug 1.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The grant-table feature in Xen through 4.8.x has a race condition leading to a double free, which allows guest OS users to cause a denial of service (memory consumption), or possibly obtain sensitive information or gain privileges, aka XSA-218 bug 2.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The vCPU context-switch implementation in Xen through 4.8.x improperly interacts with the Memory Protection Extensions (MPX) and Protection Key (PKU) features, which makes it easier for guest OS users to defeat ASLR and other protection mechanisms, aka XSA-220.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.5.0 |
| xen | xen | 4.6.5 |
| xen | xen | 4.6.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) or possibly obtain sensitive information, aka XSA-221.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host OS access, aka XSA-222.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed by only a GNTMAP_host_map unmapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 1.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map mapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 2.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The grant-table feature in Xen through 4.8.x mishandles MMIO region grant references, which allows guest OS users to cause a denial of service (loss of grant trackability), aka XSA-224 bug 3.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.6.5 |
| xen | xen | 4.7.1 |
| xen | xen | 4.6.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
| xen | xen | 4.6.0 |
| xen | xen | 4.6.1 |
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-682,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.2 |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.1 |
| citrix | xenserver | 6.5 |
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-682,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.2 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.1 |
| citrix | xenserver | 6.5 |
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.1 |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.1 |
| xen | xen | 4.6.6 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| citrix | xenserver | 6.0.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.7.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | 4.9.0 |
| xen | xen | 4.8.1 |
| citrix | xenserver | 7.2 |
| debian | debian_linux | 8.0 |
| xen | xen | 4.8.0 |
| xen | xen | 4.6.0 |
| citrix | xenserver | 7.0 |
| xen | xen | 4.7.3 |
| xen | xen | 4.6.1 |
| citrix | xenserver | 6.5 |
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| xen | xen | * |
| citrix | xenserver | 7.2 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.1 |
| citrix | xenserver | 6.5 |
Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.6.6 |
| xen | xen | 4.5.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| xen | xen | 4.6.4 |
| xen | xen | 4.7.2 |
| xen | xen | 4.9.0 |
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.7.3 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it (including domain creation / destruction, ballooning, device changes, etc.).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However, the function does not check to see if the owning domain actually has a grant table or not. Some special domains, such as `DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant tables. Hence, if __gnttab_cache_flush operates on a page owned by these special domains, it will attempt to dereference a NULL pointer in the domain struct.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.6.6 |
| xen | xen | 4.5.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| xen | xen | 4.6.4 |
| xen | xen | 4.7.2 |
| xen | xen | 4.9.0 |
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.7.3 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
A grant unmapping issue was discovered in Xen through 4.9.x. When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.1.4 |
| xen | xen | 4.5.0 |
| xen | xen | 3.3.2 |
| xen | xen | 4.3.1 |
| xen | xen | 4.1.0 |
| xen | xen | 4.6.1 |
| xen | xen | 4.0.3 |
| xen | xen | 4.7.1 |
| xen | xen | 4.3.2 |
| xen | xen | 4.0.0 |
| xen | xen | 4.4.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.8.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.5 |
| xen | xen | 4.2.2 |
| xen | xen | 4.1.2 |
| xen | xen | 4.1.3 |
| xen | xen | 3.4.0 |
| xen | xen | 3.4.4 |
| xen | xen | 4.4.1 |
| xen | xen | 4.2.4 |
| xen | xen | 4.2.0 |
| xen | xen | 4.1.1 |
| xen | xen | 4.2.1 |
| xen | xen | 4.8.0 |
| xen | xen | 4.3.4 |
| xen | xen | 3.4.1 |
| xen | xen | 4.0.2 |
| xen | xen | 4.1.6.1 |
| xen | xen | 4.0.1 |
| xen | xen | 3.3.1 |
| xen | xen | 4.0.4 |
| xen | xen | 4.5.1 |
| xen | xen | 4.1.5 |
| xen | xen | 4.2.5 |
| xen | xen | 4.4.3 |
| xen | xen | 4.6.5 |
| xen | xen | 3.4.2 |
| xen | xen | 4.6.2 |
| xen | xen | 4.1.6 |
| xen | xen | 3.4.3 |
| xen | xen | 3.3.0 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.2.3 |
| xen | xen | 4.4.4 |
| xen | xen | 4.4.0 |
| xen | xen | 4.3.0 |
| xen | xen | 4.3.3 |
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.9.0 |
An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.9.0 |
An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.9.0 |
An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.7.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.6.6 |
| xen | xen | 4.5.0 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| xen | xen | 4.6.4 |
| xen | xen | 4.7.2 |
| xen | xen | 4.9.0 |
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.7.3 |
| xen | xen | 4.5.5 |
| xen | xen | 4.6.1 |
An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.4.1 |
| xen | xen | 4.5.4 |
| xen | xen | 4.6.6 |
| xen | xen | 4.5.0 |
| xen | xen | 4.7.2 |
| xen | xen | 4.8.0 |
| xen | xen | 4.6.1 |
| xen | xen | 4.7.1 |
| xen | xen | 4.5.1 |
| xen | xen | 4.4.3 |
| xen | xen | 4.7.0 |
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| xen | xen | 4.6.2 |
| xen | xen | 4.4.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.9.0 |
| xen | xen | 4.8.1 |
| xen | xen | 4.5.2 |
| xen | xen | 4.5.3 |
| xen | xen | 4.6.0 |
| xen | xen | 4.8.2 |
| xen | xen | 4.4.4 |
| xen | xen | 4.7.3 |
| xen | xen | 4.4.0 |
| xen | xen | 4.5.5 |
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-754,CWE-755,CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM after a reboot, because disjoint blocks, and physical addresses that do not start at zero, are mishandled.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-388,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,CWE-125,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | openstack | 9 |
| redhat | openstack | 8 |
| qemu | qemu | * |
| citrix | xenserver | 6.0.2 |
| redhat | enterprise_linux_server_aus | 7.3 |
| citrix | xenserver | 6.2.0 |
| redhat | enterprise_linux_server | 7.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| citrix | xenserver | 6.5 |
| redhat | enterprise_linux_desktop | 6.0 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.7.1 |
| redhat | enterprise_linux_server_aus | 7.4 |
| citrix | xenserver | 7.1 |
| redhat | openstack | 7.0 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_eus | 7.3 |
| redhat | openstack | 10 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | openstack | 5.0 |
| redhat | openstack | 6.0 |
Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,CWE-125,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | openstack | 9 |
| redhat | openstack | 8 |
| qemu | qemu | * |
| citrix | xenserver | 6.0.2 |
| redhat | enterprise_linux_server_aus | 7.3 |
| citrix | xenserver | 6.2.0 |
| redhat | enterprise_linux_server | 7.0 |
| xen | xen | * |
| citrix | xenserver | 7.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| citrix | xenserver | 6.5 |
| redhat | enterprise_linux_desktop | 6.0 |
| debian | debian_linux | 7.0 |
| xen | xen | 4.7.1 |
| redhat | enterprise_linux_server_aus | 7.4 |
| citrix | xenserver | 7.1 |
| redhat | openstack | 7.0 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_eus | 7.3 |
| redhat | openstack | 10 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | openstack | 5.0 |
| redhat | openstack | 6.0 |
An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-129,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | - |
Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | manager | 2.1 |
| suse | manager_proxy | 2.1 |
| novell | suse_linux_enterprise_server | 11.0 |
| xen | xen | * |
| novell | suse_linux_enterprise_point_of_sale | 11.0 |
| suse | openstack_cloud | 5 |
Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hypercall, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-213.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
Xen through 4.8.x mishandles the "contains segment descriptors" property during GNTTABOP_transfer (aka guest transfer) operations, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-214.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.8.1 |
| xen | xen | 4.8.0 |
Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-215.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-682,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.6.3 |
| xen | xen | 4.6.5 |
| xen | xen | 4.6.2 |
| xen | xen | 4.6.4 |
| xen | xen | 4.6.0 |
| xen | xen | 4.6.1 |
An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect fix for CVE-2017-5754.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| xen | xen | * |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| xen | xen | * |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86 HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images. Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected). Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected; they are always read only. Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-665,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| linux | linux_kernel | * |
| xen | xen | * |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 14.04 |
An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.11.x. ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 8.0 |
An issue was discovered in Xen through 4.11.x. The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual, the order of evaluation of subexpressions is not specified. In practice, different implementations behave differently. Thus, oxenstored may not enforce the configured quota-maxentity. This allows a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| linux | linux_kernel | * |
| xen | xen | * |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 18.10 |
An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 7.6 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.1 |
| citrix | xenserver | 7.5 |
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 7.6 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.1 |
| citrix | xenserver | 7.5 |
An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.11.0 |
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| citrix | xenserver | 7.6 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.1 |
| citrix | xenserver | 7.5 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-436,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS hang) because Xen does not work around Intel's mishandling of certain HLE transactions associated with the KACQUIRE instruction prefix.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. This allows guest OS administrators to cause a denial of service (host OS memory consumption) by rebooting many times.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.10.x allowing guest OS users to cause a denial of service (hypervisor crash) or gain privileges by triggering a grant-table transition from v2 to v1.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux_workstation | 7.0 |
| apple | mac_os_x | * |
| synology | diskstation_manager | 6.1 |
| citrix | xenserver | 6.0.2 |
| citrix | xenserver | 6.2.0 |
| redhat | enterprise_linux_server | 7.0 |
| citrix | xenserver | 7.2 |
| xen | xen | - |
| citrix | xenserver | 7.0 |
| citrix | xenserver | 7.3 |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_virtualization_manager | 3.0 |
| citrix | xenserver | 6.5 |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| citrix | xenserver | 7.1 |
| synology | diskstation_manager | 5.2 |
| freebsd | freebsd | * |
| synology | diskstation_manager | 6.0 |
| debian | debian_linux | 8.0 |
| citrix | xenserver | 7.4 |
| synology | skynas | - |
An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-401,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging incorrect use of the HVM physmap concept for PV domains.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-667,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-running operation that exists to support restartability of PTE updates.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-662,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a compare-and-exchange operation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| xen | xen | * |
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via a VCPUOP_initialise hypercall. hypercall_create_continuation() is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG(), which crashes Xen. One path, via the VCPUOP_initialise hypercall, has a bad format character. The BUG() can be hit if VCPUOP_initialise executes for a sufficiently long period of time for a continuation to be created. Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen versions 4.6 and newer are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only x86 PV guests can exploit the vulnerability. HVM and PVH guests, and guests on ARM systems, cannot exploit the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 29 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 29 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| opensuse | leap | 15.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 29 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m->max_mapped_gfn will be updated using the original frame. It would be possible to set p2m->max_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one allowing "highest mapped + 1" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-193,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 29 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 29 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| opensuse | leap | 15.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 29 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| opensuse | leap | 15.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain privileges by triggering data-structure access during pagetable-height updates. When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables (the pagetable height) in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done without taking a lock which is necessary for safe operation. A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out. Additionally, there is a potential memory leak of 4kb per guest boot, under memory pressure. Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable. ARM systems are not vulnerable. Only systems where guests are given direct access to physical devices are vulnerable. Systems which do not use PCI pass-through are not vulnerable. Only HVM guests can exploit the vulnerability. PV and PVH guests cannot. All versions of Xen with IOMMU support are vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-401,CWE-662,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some "linear_pt_entry" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-682,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 30 |
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations, because of an incomplete fix for CVE-2019-18421. XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All security-supported versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Note that these attacks require very precise timing, which may be difficult to exploit in practice.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.7 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access may occur. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. 32-bit Arm systems are vulnerable. 64-bit Arm systems are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| xen | xen | * |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| xen | xen | 4.13.0 |
| fedoraproject | fedora | 30 |
| fedoraproject | fedora | 31 |
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-212,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| xen | xen | 4.13.0 |
| fedoraproject | fedora | 30 |
| fedoraproject | fedora | 31 |
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-909,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| xen | xen | 4.13.0 |
| fedoraproject | fedora | 30 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 32 |
| xen | xen | * |
| xen | xen | 4.13.0 |
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 32 |
| xen | xen | * |
| xen | xen | 4.13.0 |
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from 4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected. Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In addition, there needs to be an entity actively monitoring a guest's video frame buffer (typically for display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions that require a specific alignment. Unfortunately, there is no check that the address provided by the guest will be correctly aligned. As a result, a malicious guest could cause a hypervisor crash by passing a misaligned address. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). All Xen versions are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1) will be considered an error. All the other cases will provide a valid port and will result in a crash when trying to access the event channel. When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and later are affected. All architectures are affected. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event-channel limit.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-754,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-276,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| netapp | steelstore_cloud_integrated_storage | - |
| netapp | cloud_backup | - |
| xen | xen | * |
| netapp | solidfire_baseboard_management_controller | - |
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service. All versions of Xen from 3.2 onwards are vulnerable. Only x86 systems are vulnerable. ARM platforms are not vulnerable. Only x86 systems that support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur, and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable. Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability.
CVSS 2.0
Severity: LOW
Problem Type: CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests permitted to create more than the default number of event channels are vulnerable. This number depends on the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting max_event_channels, are not vulnerable.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. A buggy or malicious HVM stubdomain can cause an RCU reference to be leaked. This causes subsequent administration operations, (e.g., CPU offline) to livelock, resulting in a host Denial of Service. The buggy codepath has been present since Xen 4.12. Xen 4.14 and later are vulnerable to the DoS. The side effects are believed to be benign on Xen 4.12 and 4.13, but patches are provided nevertheless. The vulnerability can generally only be exploited by x86 HVM VMs, as these are generally the only type of VM that have a Qemu stubdomain. x86 PV and PVH domains, as well as ARM VMs, typically don't use a stubdomain. Only VMs using HVM stubdomains can exploit the vulnerability. VMs using PV stubdomains, or with emulators running in dom0, cannot exploit the vulnerability.
CVSS 2.0
Severity: LOW
Problem Type: CWE-670,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (DoS). Information leaks cannot be ruled out. All Xen versions from 4.5 onwards are vulnerable. Xen versions 4.4 and earlier are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties. At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly. Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail. Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure. An unprivileged guest may cause another domain, in particular Domain 0, to misbehave. This may lead to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only x86 32-bit domains servicing other domains are vulnerable. Arm systems, as well as x86 64-bit domains, are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a #GP fault, which is the consequence of trying to read this MSR on non-Intel hardware. A buggy or malicious PV guest administrator can crash Xen, resulting in a host Denial of Service. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only Xen versions 4.11 and onwards are vulnerable. 4.10 and earlier are not vulnerable. Only x86 systems that do not implement the MISC_ENABLE MSR (0x1a0) are vulnerable. AMD and Hygon systems do not implement this MSR and are vulnerable. Intel systems do implement this MSR and are not vulnerable. Other manufacturers have not been checked. Only x86 PV guests can exploit the vulnerability. x86 HVM/PVH guests cannot exploit the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H | 1.5 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-670,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.0 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry can be half-updated.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-345,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page IOMMU TLB flushes is mishandled.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| xen | xen | * |
| opensuse | leap | 15.2 |
| fedoraproject | fedora | 31 |
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| opensuse | leap | 15.1 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
| opensuse | leap | 15.2 |
| linux | linux_kernel | 5.10 |
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 1.8 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| fedoraproject | fedora | 31 |
Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 0.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-862,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-193,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify permissions, list, and delete the root node. (Deleting the whole xenstore tree is a host-wide denial of service.) Achieving xenstore write access is also possible. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-862,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 2.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N | 0.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-862,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is being destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid. Because all Xenstore entries of a guest below /local/domain/<domid> are being deleted by Xen tools when a guest is destroyed, only Xenstore entries of other guests still running are affected. For example, a newly created guest domain might be able to read sensitive information that had belonged to a previously existing guest domain. Both Xenstore implementations (C and Ocaml) are vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause "xenstore-ls -r" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H | 1.5 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-426,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from xenstored's internal management, resulting in the same actions as if the guest had been destroyed, including sending an @releaseDomain event. @releaseDomain events do not say that the guest has been removed. All watchers of this event must look at the states of all guests to find the guest that has been removed. When an @releaseDomain is generated due to a domain xenstored protocol violation, because the guest is still running, the watchers will not react. Later, when the guest is actually destroyed, xenstored will no longer have it stored in its internal data base, so no further @releaseDomain event will be sent. This can lead to a zombie domain; memory mappings of that guest's memory will not be removed, due to the missing event. This zombie domain will be cleaned up only after another domain is destroyed, as that will trigger another @releaseDomain event. If the device model of the guest that violated the Xenstore protocol is running in a stub-domain, a use-after-free case could happen in xenstored, after having removed the guest from its internal data base, possibly resulting in a crash of xenstored. A malicious guest can block resources of the host for a period after its own death. Guests with a stub domain device model can eventually crash xenstored, resulting in a more serious denial of service (the prevention of any further domain management operations). Only the C variant of Xenstore is affected; the Ocaml variant is not affected. Only HVM guests with a stubdom device model can cause a serious DoS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H | 1.5 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a guest XS_RESET_WATCHES request, not all tracking information is freed. A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. Only systems using the Ocaml Xenstored implementation are vulnerable. Systems using the C Xenstored implementation are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-401,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. However, node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory A malicious guest administrator can cause a denial of service against a specific guest or against the whole host. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H | 1.5 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen XAPI before 2020-12-15. Certain xenstore keys provide feedback from the guest, and are therefore watched by toolstack. Specifically, keys are watched by xenopsd, and data are forwarded via RPC through message-switch to xapi. The watching logic in xenopsd sends one RPC update containing all data, any time any single xenstore key is updated, and therefore has O(N^2) time complexity. Furthermore, message-switch retains recent (currently 128) RPC messages for diagnostic purposes, yielding O(M*N) space complexity. The quantity of memory a single guest can monopolise is bounded by xenstored quota, but the quota is fairly large. It is believed to be in excess of 1G per malicious guest. In practice, this manifests as a host denial of service, either through message-switch thrashing against swap, or OOMing entirely, depending on dom0's configuration. (There are no quotas in xenopsd to limit the quantity of keys that result in RPC traffic.) A buggy or malicious guest can cause unreasonable memory usage in dom0, resulting in a host denial of service. All versions of XAPI are vulnerable. Systems that are not using the XAPI toolstack are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xapi | * |
An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, and thus could result in a stack overflow. A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are affected. Arm systems are not affected. Only x86 stubdomains serving HVM guests can exploit the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-674,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU may send an interrupt to itself, in the expectation that this IRQ will be delivered only after the condition preventing the cleanup has cleared. For two specific IRQ vectors, this expectation was violated, resulting in a continuous stream of self-interrupts, which renders the CPU effectively unusable. A domain with a passed through PCI device can cause lockup of a physical CPU, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with physical PCI devices passed through to them can exploit the vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.5 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 10.0 |
| netapp | solidfire_&_hci_management_node | - |
| xen | xen | * |
| debian | debian_linux | 9.0 |
| netapp | solidfire_&_hci_storage_node | - |
| netapp | hci_compute_node_bios | - |
An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.5 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn't protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Only Arm systems may be vulnerable. Whether a system is vulnerable depends on the specific CPU. x86 systems are not vulnerable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.5 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-208,CWE-203,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| intel | core_i7-7700k | - |
| broadcom | bcm2711 | - |
| xen | xen | * |
| intel | xeon_silver_4214 | - |
| intel | core_i9-9900k | - |
| intel | core_i7-10700k | - |
| arm | cortex-a72 | - |
Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-208,CWE-203,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| intel | core_i7-7700k | - |
| broadcom | bcm2711 | - |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| intel | xeon_silver_4214 | - |
| intel | core_i9-9900k | - |
| intel | core_i7-10700k | - |
| fedoraproject | fedora | 34 |
| arm | cortex-a72 | - |
An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page to a guest. Unfortunately, the operation to clean the cache is happening before checking if the page was scrubbed. Therefore there is no guarantee when all the writes will reach the memory.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| xen | xen | * |
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-131,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| netapp | cloud_backup | - |
| xen | xen | - |
| netapp | solidfire_baseboard_management_controller_firmware | - |
HVM soft-reset crashes toolstack libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the "soft reset" feature was implemented, the libxl__domain_suspend_state structure didn't require any initialization or disposal. At some point later, an initialization function was introduced for the structure; but the "soft reset" path wasn't refactored to call the initialization function. When a guest nwo initiates a "soft reboot", uninitialized data structure leads to an assert() when later code finds the structure in an unexpected state. The effect of this is to crash the process monitoring the guest. How this affects the system depends on the structure of the toolstack. For xl, this will have no security-relevant effect: every VM has its own independent monitoring process, which contains no state. The domain in question will hang in a crashed state, but can be destroyed by `xl destroy` just like any other non-cooperating domain. For daemon-based toolstacks linked against libxl, such as libvirt, this will crash the toolstack, losing the state of any in-progress operations (localized DoS), and preventing further administrator operations unless the daemon is configured to restart automatically (system-wide DoS). If crashes "leak" resources, then repeated crashes could use up resources, also causing a system-wide DoS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-909,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.15.0 |
| xen | xen | * |
x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approach, so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems, and the availability of explicit hardware support for virtualization, fixing speculation issues in ring 1 is not a priority for processor companies. Indirect Branch Restricted Speculation (IBRS) is an architectural x86 extension put together to combat speculative execution sidechannel attacks, including Spectre v2. It was retrofitted in microcode to existing CPUs. For more details on Spectre v2, see: http://xenbits.xen.org/xsa/advisory-254.html However, IBRS does not architecturally protect ring 0 from predictions learnt in ring 1. For more details, see: https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation Similar situations may exist with other mitigations for other kinds of speculative execution attacks. The situation is quite likely to be similar for speculative execution attacks which have yet to be discovered, disclosed, or mitigated.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-212,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.15.0 |
| xen | xen | * |
inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actually being detected is inappropriate: - on Intel hardware guests which did not originally cause the timeout may be marked as crashed, - on AMD hardware higher layer callers would not be notified of the issue, making them continue as if the IOMMU operation succeeded.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 1.8 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, it was discovered that modules will not be scrubbed on Arm.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.15.0 |
| xen | xen | * |
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 33 |
| xen | xen | * |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of "cooperating" guests may, however, cause the effects to be more severe.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 1.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO Pagetables. Subsequent DMA or interrupts from the device will have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.6 | HIGH | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 0.9 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| xen | xen | * |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.15.0 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
| xen | xen | 4.15.1 |
guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H | 3.9 | 4.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.15.0 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
| xen | xen | 4.15.1 |
certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.15.0 |
| fedoraproject | fedora | 35 |
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| xen | xen | - |
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| xen | xen | - |
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| xen | xen | - |
An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence will lead to vector exhaustion on the system, not allowing further PCI pass through devices to work properly. HVM guests with PCI pass through devices can mount a Denial of Service (DoS) attack affecting the pass through of PCI devices to other guests or the hardware domain. In the latter case, this would affect the entire host.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 32 |
| xen | xen | * |
| xen | xen | 4.12.4 |
| xen | xen | 4.12.3 |
Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-459,CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| intel | sgx_dcap | * |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| intel | sgx_psw | * |
| fedoraproject | fedora | 35 |
| vmware | esxi | 7.0 |
| intel | sgx_sdk | * |
Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-459,CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| intel | sgx_dcap | * |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| intel | sgx_psw | * |
| fedoraproject | fedora | 35 |
| vmware | esxi | 7.0 |
| intel | sgx_sdk | * |
Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS 2.0
Severity: LOW
Problem Type: CWE-459,CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| intel | sgx_dcap | * |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| intel | sgx_psw | * |
| intel | sgx_sdk | * |
Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-459,CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| intel | sgx_dcap | * |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| intel | sgx_psw | * |
| fedoraproject | fedora | 35 |
| vmware | esxi | 7.0 |
| intel | sgx_sdk | * |
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-404,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 34 |
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-191,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 34 |
Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.6 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 0.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 34 |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| amd | ryzen_5_3450g_firmware | - |
| amd | ryzen_threadripper_pro_5965wx_firmware | - |
| amd | athlon_x4_830_firmware | - |
| amd | a10-9600p_firmware | - |
| amd | ryzen_3_5400u_firmware | - |
| amd | athlon_gold_3150u_firmware | - |
| amd | epyc_7252_firmware | - |
| amd | epyc_7282_firmware | - |
| amd | ryzen_7_5825u_firmware | - |
| amd | ryzen_5_2600_firmware | - |
| amd | epyc_7402p_firmware | - |
| amd | ryzen_threadripper_2970wx_firmware | - |
| amd | ryzen_3_3250u_firmware | - |
| amd | epyc_7543_firmware | - |
| amd | ryzen_7_5825c_firmware | - |
| amd | epyc_7373x_firmware | - |
| amd | ryzen_9_4900h_firmware | - |
| amd | epyc_7f72_firmware | - |
| amd | a10-9630p_firmware | - |
| amd | ryzen_3_4300g_firmware | - |
| amd | epyc_7573x_firmware | - |
| amd | ryzen_7_3750h_firmware | - |
| amd | epyc_7402_firmware | - |
| amd | athlon_x4_940_firmware | - |
| amd | a12-9700p_firmware | - |
| amd | ryzen_threadripper_3960x_firmware | - |
| amd | epyc_7551_firmware | - |
| amd | ryzen_7_4700u_firmware | - |
| amd | ryzen_5_2600h_firmware | - |
| amd | ryzen_5_2600x_firmware | - |
| amd | ryzen_9_5980hs_firmware | - |
| amd | epyc_7543p_firmware | - |
| amd | ryzen_3_3300u_firmware | - |
| amd | ryzen_5_3400g_firmware | - |
| amd | epyc_7h12_firmware | - |
| amd | ryzen_3_5425c_firmware | - |
| amd | epyc_72f3_firmware | - |
| amd | epyc_7281_firmware | - |
| amd | epyc_7343_firmware | - |
| amd | ryzen_7_2700x_firmware | - |
| amd | epyc_7351p_firmware | - |
| amd | epyc_7302p_firmware | - |
| amd | athlon_silver_3050u_firmware | - |
| amd | ryzen_3_5125c_firmware | - |
| amd | epyc_7301_firmware | - |
| amd | a6-9210_firmware | - |
| amd | epyc_74f3_firmware | - |
| amd | ryzen_3_3200u_firmware | - |
| amd | ryzen_5_5600u_firmware | - |
| amd | ryzen_5_5600hs_firmware | - |
| amd | epyc_7351_firmware | - |
| amd | epyc_7643_firmware | - |
| amd | ryzen_threadripper_pro_3795wx_firmware | - |
| amd | epyc_7513_firmware | - |
| fedoraproject | fedora | 37 |
| amd | ryzen_7_2700_firmware | - |
| amd | epyc_7662_firmware | - |
| amd | epyc_7302_firmware | - |
| amd | ryzen_5_4600u_firmware | - |
| amd | ryzen_threadripper_pro_3945wx_firmware | - |
| amd | epyc_7502p_firmware | - |
| amd | epyc_7773x_firmware | - |
| amd | ryzen_5_4600h_firmware | - |
| amd | ryzen_7_pro_3700u_firmware | - |
| amd | epyc_7413_firmware | - |
| amd | ryzen_3_4300ge_firmware | - |
| amd | epyc_7313_firmware | - |
| amd | a9-9420_firmware | - |
| amd | athlon_x4_835_firmware | - |
| amd | epyc_7713_firmware | - |
| amd | ryzen_3_3300g_firmware | - |
| amd | epyc_7552_firmware | - |
| amd | ryzen_5_3600_firmware | - |
| amd | ryzen_7_2700u_firmware | - |
| amd | epyc_7001_firmware | - |
| amd | ryzen_threadripper_3990x_firmware | - |
| amd | ryzen_3_2300u_firmware | - |
| amd | ryzen_7_3800x_firmware | - |
| amd | epyc_7371_firmware | - |
| amd | epyc_7262_firmware | - |
| amd | ryzen_5_3580u_firmware | - |
| amd | ryzen_3_5425u_firmware | - |
| amd | ryzen_5_5625u_firmware | - |
| amd | epyc_7473x_firmware | - |
| amd | ryzen_7_2800h_firmware | - |
| amd | ryzen_7_3780u_firmware | - |
| amd | ryzen_threadripper_3970x_firmware | - |
| amd | epyc_7713p_firmware | - |
| amd | epyc_7002_firmware | - |
| amd | epyc_7452_firmware | - |
| amd | ryzen_5_3600xt_firmware | - |
| amd | epyc_7551p_firmware | - |
| amd | ryzen_9_5900hs_firmware | - |
| amd | ryzen_7_5800hs_firmware | - |
| amd | epyc_7443p_firmware | - |
| amd | ryzen_5_3500u_firmware | - |
| amd | ryzen_7_5800u_firmware | - |
| amd | ryzen_7_5800h_firmware | - |
| xen | xen | - |
| amd | epyc_7f32_firmware | - |
| amd | epyc_7401_firmware | - |
| amd | epyc_7702_firmware | - |
| amd | ryzen_7_3800xt_firmware | - |
| amd | epyc_7642_firmware | - |
| amd | a12-9730p_firmware | - |
| amd | ryzen_7_4800h_firmware | - |
| amd | epyc_7763_firmware | - |
| amd | ryzen_3_2200u_firmware | - |
| amd | ryzen_9_5900hx_firmware | - |
| amd | ryzen_threadripper_pro_5955wx_firmware | - |
| amd | ryzen_threadripper_2950x_firmware | - |
| amd | ryzen_threadripper_pro_3955wx_firmware | - |
| amd | ryzen_5_3600x_firmware | - |
| amd | epyc_7501_firmware | - |
| amd | ryzen_threadripper_pro_3995wx_firmware | - |
| amd | athlon_x4_950_firmware | - |
| amd | ryzen_5_4600g_firmware | - |
| amd | ryzen_threadripper_pro_5945wx_firmware | - |
| amd | a4-9120_firmware | - |
| amd | ryzen_3_3300x_firmware | - |
| amd | epyc_7451_firmware | - |
| amd | athlon_x4_880k_firmware | - |
| amd | ryzen_7_4800u_firmware | - |
| amd | epyc_7272_firmware | - |
| amd | a6-9220_firmware | - |
| amd | ryzen_threadripper_pro_5995wx_firmware | - |
| amd | athlon_x4_970_firmware | - |
| amd | ryzen_threadripper_2920x_firmware | - |
| amd | ryzen_5_3550h_firmware | - |
| amd | epyc_7003_firmware | - |
| amd | athlon_x4_760k_firmware | - |
| amd | ryzen_7_3700x_firmware | - |
| amd | epyc_7601_firmware | - |
| fedoraproject | fedora | 35 |
| amd | ryzen_5_5625c_firmware | - |
| amd | epyc_7261_firmware | - |
| amd | ryzen_5_4600ge_firmware | - |
| amd | epyc_7663_firmware | - |
| amd | epyc_7542_firmware | - |
| amd | athlon_x4_860k_firmware | - |
| amd | a6-9220c_firmware | - |
| amd | ryzen_threadripper_2990wx_firmware | - |
| amd | a9-9410_firmware | - |
| amd | ryzen_7_4700ge_firmware | - |
| amd | ryzen_5_2700_firmware | - |
| amd | epyc_7742_firmware | - |
| amd | athlon_x4_870k_firmware | - |
| amd | ryzen_5_4500u_firmware | - |
| amd | ryzen_3_3100_firmware | - |
| amd | epyc_7313p_firmware | - |
| amd | ryzen_7_3700u_firmware | - |
| amd | athlon_x4_750_firmware | - |
| amd | epyc_7251_firmware | - |
| amd | epyc_7352_firmware | - |
| amd | ryzen_5_2500u_firmware | - |
| amd | epyc_7532_firmware | - |
| amd | epyc_7f52_firmware | - |
| amd | ryzen_5_5560u_firmware | - |
| amd | ryzen_9_5980hx_firmware | - |
| amd | epyc_7401p_firmware | - |
| amd | epyc_7443_firmware | - |
| amd | athlon_x4_845_firmware | - |
| amd | epyc_7502_firmware | - |
| amd | ryzen_7_4700g_firmware | - |
| amd | epyc_75f3_firmware | - |
| amd | ryzen_3_4300u_firmware | - |
| amd | ryzen_threadripper_pro_5975wx_firmware | - |
| amd | athlon_x4_840_firmware | - |
| amd | ryzen_5_2700x_firmware | - |
| amd | ryzen_5_5600h_firmware | - |
Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| arm | neoverse-v1_firmware | - |
| arm | cortex-x2_firmware | - |
| arm | cortex-a77_firmware | - |
| arm | neoverse-e1_firmware | - |
| arm | cortex-a72_firmware | - |
| debian | debian_linux | 9.0 |
| arm | cortex-a78_firmware | - |
| arm | cortex-a65ae_firmware | - |
| arm | neoverse_n1_firmware | - |
| arm | cortex-a78ae_firmware | - |
| arm | cortex-a710_firmware | - |
| arm | cortex-a65_firmware | - |
| arm | neoverse_n2_firmware | - |
| debian | debian_linux | 10.0 |
| arm | cortex-x1_firmware | - |
| arm | cortex-a57_firmware | - |
| arm | cortex-a73_firmware | - |
| arm | cortex-a75_firmware | - |
| xen | xen | - |
| arm | cortex-a76_firmware | - |
| arm | cortex-r8_firmware | - |
| arm | cortex-a76ae_firmware | - |
| arm | cortex-r7_firmware | - |
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.6 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H | 1.1 | 4.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-667,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.5 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-401,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 36 |
| linux | linux_kernel | 5.19 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| linux | linux_kernel | 2.6.12 |
| fedoraproject | fedora | 35 |
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-212,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| amd | ryzen_5_3450g_firmware | - |
| amd | ryzen_threadripper_pro_5965wx_firmware | - |
| amd | athlon_x4_830_firmware | - |
| amd | a10-9600p_firmware | - |
| amd | athlon_gold_3150u_firmware | - |
| amd | epyc_7252_firmware | - |
| amd | epyc_7282_firmware | - |
| amd | ryzen_5_2600_firmware | - |
| amd | epyc_7402p_firmware | - |
| amd | ryzen_threadripper_2970wx_firmware | - |
| amd | ryzen_3_3250u_firmware | - |
| amd | ryzen_9_4900h_firmware | - |
| amd | epyc_7f72_firmware | - |
| amd | a10-9630p_firmware | - |
| amd | ryzen_3_4300g_firmware | - |
| amd | ryzen_7_3750h_firmware | - |
| amd | epyc_7402_firmware | - |
| amd | athlon_x4_940_firmware | - |
| amd | a12-9700p_firmware | - |
| amd | ryzen_threadripper_3960x_firmware | - |
| amd | epyc_7551_firmware | - |
| amd | ryzen_7_4700u_firmware | - |
| amd | ryzen_5_2600h_firmware | - |
| amd | ryzen_5_2600x_firmware | - |
| amd | ryzen_3_3300u_firmware | - |
| amd | ryzen_5_3400g_firmware | - |
| amd | epyc_7h12_firmware | - |
| amd | epyc_7281_firmware | - |
| amd | ryzen_7_2700x_firmware | - |
| amd | epyc_7351p_firmware | - |
| amd | epyc_7302p_firmware | - |
| amd | athlon_silver_3050u_firmware | - |
| amd | epyc_7301_firmware | - |
| amd | a6-9210_firmware | - |
| amd | ryzen_3_3200u_firmware | - |
| amd | epyc_7351_firmware | - |
| amd | ryzen_threadripper_pro_3795wx_firmware | - |
| amd | ryzen_7_2700_firmware | - |
| amd | epyc_7662_firmware | - |
| amd | epyc_7302_firmware | - |
| amd | ryzen_5_4600u_firmware | - |
| amd | ryzen_threadripper_pro_3945wx_firmware | - |
| amd | epyc_7502p_firmware | - |
| amd | ryzen_5_4600h_firmware | - |
| amd | ryzen_3_4300ge_firmware | - |
| amd | a9-9420_firmware | - |
| amd | athlon_x4_835_firmware | - |
| amd | ryzen_3_3300g_firmware | - |
| amd | epyc_7552_firmware | - |
| amd | ryzen_5_3600_firmware | - |
| amd | ryzen_7_2700u_firmware | - |
| amd | epyc_7001_firmware | - |
| amd | ryzen_threadripper_3990x_firmware | - |
| amd | ryzen_3_2300u_firmware | - |
| amd | ryzen_7_3800x_firmware | - |
| amd | epyc_7371_firmware | - |
| amd | epyc_7262_firmware | - |
| amd | ryzen_7_2800h_firmware | - |
| debian | debian_linux | 11.0 |
| amd | ryzen_threadripper_3970x_firmware | - |
| amd | epyc_7002_firmware | - |
| amd | epyc_7452_firmware | - |
| amd | ryzen_5_3600xt_firmware | - |
| amd | epyc_7551p_firmware | - |
| amd | ryzen_5_3500u_firmware | - |
| xen | xen | - |
| amd | epyc_7f32_firmware | - |
| amd | epyc_7401_firmware | - |
| amd | epyc_7702_firmware | - |
| amd | ryzen_7_3800xt_firmware | - |
| amd | epyc_7642_firmware | - |
| amd | a12-9730p_firmware | - |
| amd | ryzen_7_4800h_firmware | - |
| amd | ryzen_3_2200u_firmware | - |
| amd | ryzen_threadripper_pro_5955wx_firmware | - |
| amd | ryzen_threadripper_2950x_firmware | - |
| amd | ryzen_threadripper_pro_3955wx_firmware | - |
| amd | ryzen_5_3600x_firmware | - |
| amd | epyc_7501_firmware | - |
| amd | ryzen_threadripper_pro_3995wx_firmware | - |
| amd | athlon_x4_950_firmware | - |
| amd | ryzen_5_4600g_firmware | - |
| amd | ryzen_threadripper_pro_5945wx_firmware | - |
| amd | a4-9120_firmware | - |
| amd | ryzen_3_3300x_firmware | - |
| amd | epyc_7451_firmware | - |
| amd | athlon_x4_880k_firmware | - |
| amd | ryzen_7_4800u_firmware | - |
| amd | epyc_7272_firmware | - |
| amd | a6-9220_firmware | - |
| amd | ryzen_threadripper_pro_5995wx_firmware | - |
| amd | athlon_x4_970_firmware | - |
| amd | ryzen_threadripper_2920x_firmware | - |
| amd | ryzen_5_3550h_firmware | - |
| amd | athlon_x4_760k_firmware | - |
| fedoraproject | fedora | 36 |
| amd | ryzen_7_3700x_firmware | - |
| amd | epyc_7601_firmware | - |
| fedoraproject | fedora | 35 |
| amd | epyc_7261_firmware | - |
| amd | ryzen_5_4600ge_firmware | - |
| amd | epyc_7542_firmware | - |
| amd | athlon_x4_860k_firmware | - |
| amd | a6-9220c_firmware | - |
| amd | ryzen_threadripper_2990wx_firmware | - |
| amd | a9-9410_firmware | - |
| amd | ryzen_7_4700ge_firmware | - |
| amd | ryzen_5_2700_firmware | - |
| amd | epyc_7742_firmware | - |
| amd | athlon_x4_870k_firmware | - |
| amd | ryzen_5_4500u_firmware | - |
| amd | ryzen_3_3100_firmware | - |
| amd | ryzen_7_3700u_firmware | - |
| amd | athlon_x4_750_firmware | - |
| amd | epyc_7251_firmware | - |
| amd | epyc_7352_firmware | - |
| amd | ryzen_5_2500u_firmware | - |
| amd | epyc_7532_firmware | - |
| amd | epyc_7f52_firmware | - |
| amd | epyc_7401p_firmware | - |
| amd | athlon_x4_845_firmware | - |
| amd | epyc_7502_firmware | - |
| amd | ryzen_7_4700g_firmware | - |
| amd | ryzen_3_4300u_firmware | - |
| amd | ryzen_threadripper_pro_5975wx_firmware | - |
| amd | athlon_x4_840_firmware | - |
| amd | ryzen_5_2700x_firmware | - |
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerability@ncsc.ch | 5.6 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N | 1.1 | 4.0 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | 2.0 | 4.0 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| intel | core_i5-8420t_firmware | - |
| intel | core_i7-6822eq_firmware | - |
| intel | core_i5-8420_firmware | - |
| intel | core_i3-6110u_firmware | - |
| intel | core_m3-6y30_firmware | - |
| intel | core_i3-6300_firmware | - |
| intel | core_i5-6300hq_firmware | - |
| intel | core_i7-8569u_firmware | - |
| intel | core_i5-6400t_firmware | - |
| intel | core_i3-6320_firmware | - |
| intel | core_i5-8400_firmware | - |
| intel | core_i5-8650k_firmware | - |
| intel | core_i5-6310u_firmware | - |
| intel | core_i3-8109u_firmware | - |
| intel | core_i7-6700hq_firmware | - |
| intel | core_i7-6920hq_firmware | - |
| intel | core_i3-6100_firmware | - |
| intel | core_i7-8700t_firmware | - |
| intel | core_i9-8950hk_firmware | - |
| intel | core_i3-8130u_firmware | - |
| intel | core_i3-6320t_firmware | - |
| intel | core_i5-8400t_firmware | - |
| intel | core_i3-6100u_firmware | - |
| intel | core_i3-6100e_firmware | - |
| intel | core_i7-8809g_firmware | - |
| intel | core_i3-8145u_firmware | - |
| intel | core_i3-6120_firmware | - |
| intel | core_m5-6y57_firmware | - |
| intel | core_i7-8670_firmware | - |
| vmware | esxi | 7.0 |
| intel | core_i7-8670t_firmware | - |
| intel | core_i5-6600t_firmware | - |
| intel | core_i7-8709g_firmware | - |
| intel | core_i5-8350u_firmware | - |
| intel | core_i5-8210y_firmware | - |
| intel | core_i7-8510y_firmware | - |
| intel | core_i7-6820hq_firmware | - |
| intel | core_i5-8365u_firmware | - |
| intel | core_i5-6260u_firmware | - |
| intel | core_i7-6700k_firmware | - |
| intel | core_i3-6300t_firmware | - |
| intel | core_i3-8100t_firmware | - |
| intel | core_i7-8665u_firmware | - |
| intel | core_i7-8750h_firmware | - |
| intel | core_i5-6360u_firmware | - |
| intel | core_i3-6120t_firmware | - |
| intel | core_i5-6500t_firmware | - |
| intel | core_i5-6200u_firmware | - |
| intel | core_i7-8850h_firmware | - |
| intel | core_i5-8600k_firmware | - |
| intel | core_i7-6650u_firmware | - |
| intel | core_i7-8705g_firmware | - |
| intel | core_i3-6167u_firmware | - |
| intel | core_i5-6442eq_firmware | - |
| intel | core_m3-8100y_firmware | - |
| intel | core_i7-6500u_firmware | - |
| intel | core_i7-8700b_firmware | - |
| debian | debian_linux | 11.0 |
| intel | core_i7-6770hq_firmware | - |
| intel | core_i7-8706g_firmware | - |
| intel | core_i5-8250u_firmware | - |
| intel | core_i5-6500te_firmware | - |
| intel | core_i5-8269u_firmware | - |
| intel | core_i3-6100h_firmware | - |
| intel | core_i7-6700t_firmware | - |
| intel | core_i7-8700_firmware | - |
| intel | core_i5-8600t_firmware | - |
| intel | core_i5-8300h_firmware | - |
| intel | core_i5-8550_firmware | - |
| intel | core_i3-6100t_firmware | - |
| intel | core_i5-6400_firmware | - |
| intel | core_i7-6700te_firmware | - |
| intel | core_i5-8265u_firmware | - |
| intel | core_i3-8100h_firmware | - |
| intel | core_i7-6660u_firmware | - |
| intel | core_i5-6600k_firmware | - |
| debian | debian_linux | 10.0 |
| intel | core_i5-6440eq_firmware | - |
| intel | core_i3-6100te_firmware | - |
| intel | core_i5-8200y_firmware | - |
| intel | core_i3-8350k_firmware | - |
| xen | xen | - |
| intel | core_i5-8310y_firmware | - |
| intel | core_i3-8300t_firmware | - |
| intel | core_i7-8550u_firmware | - |
| intel | core_i7-8500y_firmware | - |
| intel | core_i5-6440hq_firmware | - |
| intel | core_i5-8400h_firmware | - |
| intel | core_i3-8000t_firmware | - |
| intel | core_i5-6300u_firmware | - |
| intel | core_i5-8600_firmware | - |
| intel | core_i3-8300_firmware | - |
| intel | core_i3-8000_firmware | - |
| intel | core_i5-8550u_firmware | - |
| intel | core_i7-6567u_firmware | - |
| intel | core_i5-8500b_firmware | - |
| intel | core_i7-6870hq_firmware | - |
| intel | core_i5-8259u_firmware | - |
| intel | core_i7-6510u_firmware | - |
| intel | core_i5-6500_firmware | - |
| intel | core_i5-6350hq_firmware | - |
| intel | core_m7-6y75_firmware | - |
| intel | core_i7-6700_firmware | - |
| intel | core_i7-8565u_firmware | - |
| intel | core_i7-8700k_firmware | - |
| intel | core_i7-8559u_firmware | - |
| intel | core_i5-6287u_firmware | - |
| intel | core_i7-8560u_firmware | - |
| fedoraproject | fedora | 36 |
| intel | core_i5-8400b_firmware | - |
| intel | core_i7-8750hf_firmware | - |
| fedoraproject | fedora | 35 |
| intel | core_i7-6560u_firmware | - |
| intel | core_i7-8650u_firmware | - |
| intel | core_i5-6600_firmware | - |
| intel | core_i5-8500t_firmware | - |
| intel | core_i7-6820eq_firmware | - |
| intel | core_i5-6210u_firmware | - |
| intel | core_i7-6970hq_firmware | - |
| intel | core_i5-8305g_firmware | - |
| intel | core_i3-6102e_firmware | - |
| intel | core_i5-8650_firmware | - |
| intel | core_i5-8500_firmware | - |
| intel | core_i5-6267u_firmware | - |
| intel | core_i7-6820hk_firmware | - |
| intel | core_i3-8020_firmware | - |
| intel | core_m5-6y54_firmware | - |
| intel | core_i3-8120_firmware | - |
| intel | core_i7-6600u_firmware | - |
| intel | core_i7-8557u_firmware | - |
| intel | core_i3-8100_firmware | - |
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-212,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 36 |
| linux | linux_kernel | 5.19 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| linux | linux_kernel | 2.6.12 |
| fedoraproject | fedora | 35 |
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 36 |
| linux | linux_kernel | 5.19 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| linux | linux_kernel | 2.6.12 |
| fedoraproject | fedora | 35 |
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 36 |
| linux | linux_kernel | 5.19 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| linux | linux_kernel | 2.6.12 |
| fedoraproject | fedora | 35 |
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 11.0 |
| xen | xen | - |
insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xapi | * |
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| secure@intel.com | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | 2.0 | 4.0 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | 2.0 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| intel | xeon_silver_4209t_firmware | - |
| intel | celeron_g4900_firmware | - |
| intel | xeon_e-2126g_firmware | - |
| intel | core_i9-11900t_firmware | - |
| intel | xeon_e-2378_firmware | - |
| intel | xeon_gold_6230r_firmware | - |
| intel | xeon_e3-1245_v6_firmware | - |
| intel | core_i5-11500h_firmware | - |
| intel | core_i5-9400f_firmware | - |
| intel | core_i9-10900x_firmware | - |
| intel | xeon_e-2324g_firmware | - |
| intel | xeon_platinum_8253_firmware | - |
| intel | core_i5-10600_firmware | - |
| intel | core_i7-8569u_firmware | - |
| intel | core_i5-7360u_firmware | - |
| intel | xeon_gold_6240r_firmware | - |
| intel | pentium_gold_g6405t_firmware | - |
| netapp | all_flash_fabric-attached_storage_9500 | - |
| intel | xeon_d-2143it_firmware | - |
| intel | core_i5-1030g7_firmware | - |
| intel | core_i3-10105_firmware | - |
| intel | core_i5-11320h_firmware | - |
| intel | xeon_platinum_8280l_firmware | - |
| intel | core_i7-8700t_firmware | - |
| intel | celeron_g5900_firmware | - |
| intel | core_i3-10325_firmware | - |
| intel | xeon_gold_5215l_firmware | - |
| intel | core_i5-11600k_firmware | - |
| intel | xeon_w-2245_firmware | - |
| intel | xeon_w-2123_firmware | - |
| intel | core_i9-11900kf_firmware | - |
| intel | core_i3-1115gre_firmware | - |
| intel | xeon_gold_5320t_firmware | - |
| intel | core_i7-7820x_firmware | - |
| intel | xeon_gold_6210u_firmware | - |
| intel | xeon_gold_6240l_firmware | - |
| intel | core_i5-10310y_firmware | - |
| intel | core_i7-1060g7_firmware | - |
| intel | xeon_e-2136_firmware | - |
| intel | pentium_gold_g5400t_firmware | - |
| intel | xeon_gold_6250l_firmware | - |
| intel | core_i7-11375h_firmware | - |
| intel | core_i5-8365u_firmware | - |
| intel | xeon_e-2276g_firmware | - |
| intel | core_i9-10920x_firmware | - |
| intel | core_i9-11900h_firmware | - |
| intel | core_i3-10100f_firmware | - |
| intel | core_i7-8750h_firmware | - |
| intel | pentium_gold_g6400_firmware | - |
| netapp | all_flash_fabric-attached_storage_a800 | - |
| intel | xeon_platinum_8280_firmware | - |
| intel | xeon_silver_4214_firmware | - |
| intel | core_i3-1005g1_firmware | - |
| intel | core_i5-9600_firmware | - |
| intel | xeon_platinum_8353h_firmware | - |
| intel | core_i5-10500t_firmware | - |
| intel | xeon_w-1250p_firmware | - |
| intel | xeon_gold_6230n_firmware | - |
| intel | core_i3-1115g4_firmware | - |
| intel | pentium_gold_g5400_firmware | - |
| intel | core_i7-8850h_firmware | - |
| intel | core_i5-8600k_firmware | - |
| intel | core_i3-1120g4_firmware | - |
| intel | core_i7-8705g_firmware | - |
| intel | xeon_e-2224_firmware | - |
| intel | xeon_platinum_8360hl_firmware | - |
| intel | xeon_d-2183it_firmware | - |
| intel | xeon_gold_6230_firmware | - |
| debian | debian_linux | 11.0 |
| intel | core_i5-10600t_firmware | - |
| intel | core_i3-7310t_firmware | - |
| intel | core_i9-10900kf_firmware | - |
| intel | pentium_gold_g6505_firmware | - |
| intel | core_i7-1185g7e_firmware | - |
| intel | core_i9-7920x_firmware | - |
| intel | core_i9-10980xe_firmware | - |
| intel | core_i5-8600t_firmware | - |
| intel | xeon_gold_5220t_firmware | - |
| intel | xeon_d-2187nt_firmware | - |
| intel | core_i3-8100h_firmware | - |
| intel | core_i9-7980xe_firmware | - |
| intel | core_i7-10510y_firmware | - |
| intel | xeon_e-2278gel_firmware | - |
| intel | core_i5-8200y_firmware | - |
| intel | core_i5-8310y_firmware | - |
| intel | core_i3-1000g1_firmware | - |
| intel | core_i5-11500t_firmware | - |
| intel | core_i5-8600_firmware | - |
| intel | xeon_e3-1535m_v6_firmware | - |
| intel | pentium_gold_g6500t_firmware | - |
| intel | xeon_gold_6240y_firmware | - |
| intel | core_i5-8500b_firmware | - |
| intel | core_i5-10600kf_firmware | - |
| intel | core_i5-11600_firmware | - |
| intel | xeon_d-2123it_firmware | - |
| intel | core_i5-9500f_firmware | - |
| intel | xeon_w-2255_firmware | - |
| intel | core_i7-8565u_firmware | - |
| intel | core_i7-7560u_firmware | - |
| intel | pentium_gold_g5600_firmware | - |
| intel | xeon_e-2356g_firmware | - |
| intel | core_i7-8700k_firmware | - |
| intel | core_i9-10940x_firmware | - |
| intel | xeon_e-2226ge_firmware | - |
| intel | xeon_e-2224g_firmware | - |
| intel | xeon_e3-1280_v6_firmware | - |
| intel | core_i5-10300h_firmware | - |
| intel | core_i3-9100_firmware | - |
| intel | core_i7-8650u_firmware | - |
| intel | xeon_bronze_3204_firmware | - |
| intel | xeon_w-2195_firmware | - |
| intel | xeon_w-1250_firmware | - |
| intel | core_i7-11850h_firmware | - |
| intel | xeon_w-11865mre_firmware | - |
| intel | xeon_platinum_8360h_firmware | - |
| intel | xeon_d-1732te_firmware | - |
| intel | celeron_g4900t_firmware | - |
| intel | core_i3-7101e_firmware | - |
| intel | xeon_platinum_8256_firmware | - |
| intel | xeon_gold_6242_firmware | - |
| intel | core_i5-10400t_firmware | - |
| intel | xeon_gold_5217_firmware | - |
| intel | xeon_gold_6242r_firmware | - |
| intel | core_i5-7300u_firmware | - |
| intel | xeon_e-2244g_firmware | - |
| intel | xeon_gold_6209u_firmware | - |
| intel | core_i7-10700k_firmware | - |
| intel | core_i9-10900t_firmware | - |
| intel | xeon_platinum_8270_firmware | - |
| intel | xeon_d-2163it_firmware | - |
| intel | pentium_gold_6405u_firmware | - |
| intel | core_i3-7340_firmware | - |
| intel | core_i5-8260u_firmware | - |
| intel | xeon_w-2265_firmware | - |
| intel | xeon_silver_4316_firmware | - |
| intel | core_i3-8109u_firmware | - |
| intel | core_i9-7960x_firmware | - |
| intel | core_i7-10810u_firmware | - |
| intel | xeon_d-2161i_firmware | - |
| intel | core_i7-9800x_firmware | - |
| intel | xeon_gold_6336y_firmware | - |
| intel | xeon_e-2286g_firmware | - |
| intel | xeon_w-11865mle_firmware | - |
| intel | core_i9-9940x_firmware | - |
| intel | core_i3-7020u_firmware | - |
| intel | xeon_silver_4310_firmware | - |
| intel | core_i7-8809g_firmware | - |
| intel | core_i3-8145u_firmware | - |
| intel | xeon_e-2278ge_firmware | - |
| intel | xeon_d-2752ter_firmware | - |
| intel | core_i7-10850h_firmware | - |
| intel | core_i5-7500t_firmware | - |
| netapp | all_flash_fabric-attached_storage_8300 | - |
| intel | core_i3-10300_firmware | - |
| intel | core_i7-8709g_firmware | - |
| intel | xeon_platinum_9242_firmware | - |
| intel | core_i5-8350u_firmware | - |
| intel | xeon_silver_4208_firmware | - |
| intel | core_i5-1145gre_firmware | - |
| intel | xeon_e3-1501l_v6_firmware | - |
| intel | core_i9-9920x_firmware | - |
| intel | core_i7-1185gre_firmware | - |
| intel | core_i3-8100t_firmware | - |
| intel | xeon_w-1290t_firmware | - |
| intel | xeon_d-1735tr_firmware | - |
| intel | core_i5-1030g4_firmware | - |
| intel | xeon_silver_4210t_firmware | - |
| intel | xeon_platinum_8380h_firmware | - |
| intel | core_i7-9700_firmware | - |
| intel | xeon_w-1390t_firmware | - |
| intel | core_i3-9320_firmware | - |
| intel | core_m3-8100y_firmware | - |
| intel | xeon_silver_4314_firmware | - |
| intel | xeon_e-2374g_firmware | - |
| intel | xeon_gold_6234_firmware | - |
| intel | core_i7-8700b_firmware | - |
| intel | core_i3-10305_firmware | - |
| intel | core_i7-11800h_firmware | - |
| intel | core_i7-10870h_firmware | - |
| intel | core_i5-11500_firmware | - |
| intel | core_i5-7600_firmware | - |
| intel | core_i5-8269u_firmware | - |
| intel | core_i7-11700t_firmware | - |
| intel | xeon_gold_5318y_firmware | - |
| intel | xeon_gold_6262v_firmware | - |
| intel | xeon_silver_4214y_firmware | - |
| intel | core_i9-9900x_firmware | - |
| intel | xeon_e-2236_firmware | - |
| intel | core_i7-9700kf_firmware | - |
| intel | celeron_g4920_firmware | - |
| intel | xeon_gold_6326_firmware | - |
| intel | core_i5-8265u_firmware | - |
| intel | xeon_platinum_8276l_firmware | - |
| intel | xeon_e3-1501m_v6_firmware | - |
| intel | xeon_gold_6252_firmware | - |
| intel | xeon_gold_6208u_firmware | - |
| intel | core_i3-8350k_firmware | - |
| intel | core_i5-10200h_firmware | - |
| intel | core_i7-11700_firmware | - |
| intel | core_i3-10105f_firmware | - |
| intel | core_i3-7320_firmware | - |
| intel | xeon_w-2235_firmware | - |
| intel | xeon_w-1350p_firmware | - |
| intel | core_i3-8300_firmware | - |
| intel | core_i7-7800x_firmware | - |
| intel | core_i3-7120_firmware | - |
| intel | xeon_e-2274g_firmware | - |
| intel | xeon_platinum_8376hl_firmware | - |
| intel | core_i3-10110y_firmware | - |
| intel | core_i9-10900k_firmware | - |
| intel | core_i5-7260u_firmware | - |
| intel | xeon_d-2173it_firmware | - |
| intel | core_i3-7167u_firmware | - |
| intel | core_i3-9350kf_firmware | - |
| intel | xeon_gold_6348h_firmware | - |
| intel | core_i9-11900_firmware | - |
| intel | core_i5-9400t_firmware | - |
| intel | core_i7-10610u_firmware | - |
| intel | xeon_gold_6238t_firmware | - |
| intel | core_i3-7100u_firmware | - |
| intel | core_i5-7500_firmware | - |
| intel | xeon_gold_6246_firmware | - |
| intel | core_i9-10900f_firmware | - |
| intel | core_i3-11100he_firmware | - |
| intel | core_i3-10305t_firmware | - |
| intel | core_i9-10900_firmware | - |
| intel | core_i7-10700f_firmware | - |
| intel | xeon_gold_6246r_firmware | - |
| intel | core_i5-8400b_firmware | - |
| intel | celeron_g5905t_firmware | - |
| intel | core_i7-7700t_firmware | - |
| redhat | enterprise_linux | 7.0 |
| intel | xeon_gold_6256_firmware | - |
| intel | core_i5-8500t_firmware | - |
| intel | core_i5-1035g7_firmware | - |
| intel | xeon_platinum_8356h_firmware | - |
| intel | core_i3-7300t_firmware | - |
| intel | core_i9-10980hk_firmware | - |
| intel | core_i3-9350k_firmware | - |
| intel | xeon_silver_4214r_firmware | - |
| intel | xeon_w-3275_firmware | - |
| intel | xeon_w-11555mle_firmware | - |
| intel | core_i5-10210y_firmware | - |
| intel | xeon_gold_5218_firmware | - |
| intel | xeon_e-2144g_firmware | - |
| intel | core_i5-10600k_firmware | - |
| intel | xeon_w-2225_firmware | - |
| intel | xeon_e-2334_firmware | - |
| intel | core_i9-9900k_firmware | - |
| intel | xeon_gold_5215_firmware | - |
| intel | core_i5-7267u_firmware | - |
| intel | core_i7-1195g7_firmware | - |
| intel | xeon_gold_6252n_firmware | - |
| intel | core_i7-11390h_firmware | - |
| intel | xeon_e-2336_firmware | - |
| intel | xeon_w-10855m_firmware | - |
| intel | xeon_d-2177nt_firmware | - |
| intel | core_i3-1110g4_firmware | - |
| intel | xeon_e3-1270_v6_firmware | - |
| intel | core_i5-10500h_firmware | - |
| intel | core_i7-10510u_firmware | - |
| intel | core_i5-11400f_firmware | - |
| intel | core_i5-11400h_firmware | - |
| intel | core_i5-1140g7_firmware | - |
| intel | core_i7-10700t_firmware | - |
| intel | xeon_w-3223_firmware | - |
| intel | core_i9-9900t_firmware | - |
| intel | core_i5-7640x_firmware | - |
| intel | core_i7-8086k_firmware | - |
| intel | xeon_d-2146nt_firmware | - |
| intel | xeon_e3-1240_v6_firmware | - |
| intel | xeon_w-2223_firmware | - |
| intel | xeon_gold_5218b_firmware | - |
| intel | pentium_gold_g6605_firmware | - |
| intel | core_i5-8400_firmware | - |
| intel | core_i7-7820eq_firmware | - |
| intel | xeon_e-2124_firmware | - |
| intel | xeon_w-1390_firmware | - |
| intel | core_i9-9980xe_firmware | - |
| netapp | all_flash_fabric-attached_storage_8700 | - |
| intel | xeon_gold_6328h_firmware | - |
| intel | core_i3-8130u_firmware | - |
| intel | xeon_e3-1220_v6_firmware | - |
| intel | xeon_platinum_8376h_firmware | - |
| intel | core_i7-10700kf_firmware | - |
| intel | core_i7-7740x_firmware | - |
| intel | pentium_gold_g6600_firmware | - |
| intel | xeon_gold_6254_firmware | - |
| intel | xeon_gold_6238l_firmware | - |
| intel | core_i5-8257u_firmware | - |
| intel | xeon_w-1370p_firmware | - |
| intel | core_i3-7102e_firmware | - |
| intel | core_i7-11600h_firmware | - |
| intel | core_i5-7400t_firmware | - |
| intel | core_i3-10105t_firmware | - |
| intel | xeon_e3-1285_v6_firmware | - |
| netapp | all_flash_fabric-attached_storage_a400 | - |
| intel | core_i5-8210y_firmware | - |
| intel | xeon_platinum_8354h_firmware | - |
| intel | xeon_e3-1230_v6_firmware | - |
| intel | xeon_gold_5220s_firmware | - |
| intel | core_i5-10500_firmware | - |
| intel | xeon_w-2133_firmware | - |
| intel | core_i5-10400h_firmware | - |
| intel | xeon_w-2295_firmware | - |
| intel | core_i5-9500t_firmware | - |
| intel | xeon_gold_6330h_firmware | - |
| netapp | all_flash_fabric-attached_storage_c250 | * |
| intel | core_i5-11400t_firmware | - |
| intel | xeon_w-1390p_firmware | - |
| intel | xeon_gold_6238r_firmware | - |
| intel | microcode | * |
| intel | xeon_e-2288g_firmware | - |
| intel | xeon_e-2234_firmware | - |
| intel | core_i3-8100b_firmware | - |
| intel | celeron_g5925_firmware | - |
| intel | core_i5-11500he_firmware | - |
| redhat | enterprise_linux | 8.0 |
| intel | core_i7-1180g7_firmware | - |
| intel | pentium_gold_g5500_firmware | - |
| intel | xeon_platinum_8260y_firmware | - |
| intel | xeon_w-3245m_firmware | - |
| intel | xeon_w-3275m_firmware | - |
| intel | xeon_e-2246g_firmware | - |
| intel | core_i5-8250u_firmware | - |
| intel | xeon_w-11155mre_firmware | - |
| intel | pentium_gold_g6400t_firmware | - |
| intel | xeon_gold_6230t_firmware | - |
| intel | xeon_e-2174g_firmware | - |
| intel | core_i9-10850k_firmware | - |
| intel | core_i5-7600t_firmware | - |
| netapp | all_flash_fabric-attached_storage_c400 | - |
| debian | debian_linux | 10.0 |
| intel | xeon_gold_5315y_firmware | - |
| intel | xeon_w-3245_firmware | - |
| intel | xeon_d-2733nt_firmware | - |
| intel | core_i7-7700k_firmware | - |
| xen | xen | - |
| intel | core_i3-8300t_firmware | - |
| intel | core_i5-9500_firmware | - |
| intel | core_i3-10320_firmware | - |
| intel | core_i5-10505_firmware | - |
| intel | core_i7-1068g7_firmware | - |
| intel | xeon_silver_4215_firmware | - |
| intel | core_i9-9900ks_firmware | - |
| intel | core_i3-10100t_firmware | - |
| intel | xeon_gold_5220r_firmware | - |
| intel | core_i5-7442eq_firmware | - |
| intel | xeon_w-3265m_firmware | - |
| intel | core_i7-9700f_firmware | - |
| intel | xeon_d-2145nt_firmware | - |
| intel | xeon_silver_4310t_firmware | - |
| intel | xeon_d-1715ter_firmware | - |
| intel | core_i5-10400_firmware | - |
| intel | xeon_gold_6226r_firmware | - |
| intel | core_i5-11400_firmware | - |
| intel | core_i9-7900x_firmware | - |
| intel | xeon_gold_6330_firmware | - |
| intel | core_i7-8559u_firmware | - |
| intel | xeon_e-2104g_firmware | - |
| intel | xeon_gold_6240_firmware | - |
| intel | core_i3-9300_firmware | - |
| intel | core_i7-10710u_firmware | - |
| intel | core_i7-10875h_firmware | - |
| intel | core_i5-1145g7_firmware | - |
| netapp | all_flash_fabric-attached_storage_2820 | - |
| intel | core_i9-9820x_firmware | - |
| intel | xeon_gold_5317_firmware | - |
| intel | core_i5-1035g4_firmware | - |
| intel | core_i5-10310u_firmware | - |
| intel | xeon_gold_6248r_firmware | - |
| intel | xeon_e3-1505m_v6_firmware | - |
| intel | xeon_d-2166nt_firmware | - |
| intel | core_i5-9600k_firmware | - |
| intel | core_i7-7567u_firmware | - |
| intel | core_i7-9700k_firmware | - |
| intel | xeon_e-2134_firmware | - |
| redhat | enterprise_linux | 6.0 |
| intel | celeron_5305u_firmware | - |
| intel | core_i5-7440eq_firmware | - |
| intel | core_i7-10700_firmware | - |
| intel | pentium_6405u_firmware | - |
| intel | core_i3-1000g4_firmware | - |
| intel | celeron_5205u_firmware | - |
| intel | xeon_gold_6244_firmware | - |
| intel | core_i9-9960x_firmware | - |
| intel | xeon_w-2125_firmware | - |
| intel | xeon_d-1712tr_firmware | - |
| intel | core_i3-9100f_firmware | - |
| intel | xeon_d-2712t_firmware | - |
| intel | xeon_d-2142it_firmware | - |
| intel | core_i3-1125g4_firmware | - |
| intel | xeon_gold_6248_firmware | - |
| intel | xeon_w-2175_firmware | - |
| intel | core_i7-8557u_firmware | - |
| intel | core_i7-11700kf_firmware | - |
| intel | pentium_gold_g6405_firmware | - |
| intel | core_i5-11300h_firmware | - |
| intel | core_i5-1035g1_firmware | - |
| intel | core_i9-11900f_firmware | - |
| intel | core_i5-1135g7_firmware | - |
| intel | xeon_w-1270p_firmware | - |
| intel | xeon_w-1370_firmware | - |
| intel | core_i9-9900_firmware | - |
| intel | core_i5-10400f_firmware | - |
| intel | core_i7-1165g7_firmware | - |
| intel | xeon_gold_6250_firmware | - |
| intel | core_i7-1185g7_firmware | - |
| intel | core_i5-1155g7_firmware | - |
| intel | core_i3-10100y_firmware | - |
| netapp | all_flash_fabric-attached_storage_c800 | - |
| intel | xeon_d-2141i_firmware | - |
| intel | core_i9-11950h_firmware | - |
| intel | xeon_gold_6258r_firmware | - |
| intel | xeon_gold_5222_firmware | - |
| intel | core_i9-8950hk_firmware | - |
| intel | core_i5-8400t_firmware | - |
| intel | xeon_w-2145_firmware | - |
| intel | xeon_gold_6328hl_firmware | - |
| intel | xeon_e-2176g_firmware | - |
| intel | core_i5-8279u_firmware | - |
| intel | core_i3-7100_firmware | - |
| intel | core_i5-11600kf_firmware | - |
| intel | xeon_silver_4216_firmware | - |
| intel | xeon_w-2155_firmware | - |
| intel | core_i7-11700k_firmware | - |
| intel | xeon_d-1746ter_firmware | - |
| intel | xeon_e3-1225_v6_firmware | - |
| intel | xeon_platinum_8268_firmware | - |
| intel | core_i3-7101te_firmware | - |
| intel | xeon_w-1270_firmware | - |
| intel | core_i7-1065g7_firmware | - |
| intel | core_i5-9600t_firmware | - |
| intel | core_i5-10210u_firmware | - |
| intel | xeon_e-2386g_firmware | - |
| intel | xeon_w-3225_firmware | - |
| intel | xeon_w-11555mre_firmware | - |
| intel | core_i7-11850he_firmware | - |
| netapp | all_flash_fabric-attached_storage_a250 | * |
| intel | core_i7-8665u_firmware | - |
| intel | xeon_gold_5218n_firmware | - |
| intel | xeon_gold_5220_firmware | - |
| intel | xeon_gold_6212u_firmware | - |
| intel | xeon_gold_6222v_firmware | - |
| intel | xeon_w-3265_firmware | - |
| intel | core_i3-9100t_firmware | - |
| intel | core_i5-9400_firmware | - |
| intel | core_i7-10750h_firmware | - |
| intel | core_i9-9900kf_firmware | - |
| intel | xeon_gold_5218t_firmware | - |
| intel | xeon_d-2775te_firmware | - |
| intel | core_i3-7100t_firmware | - |
| netapp | all_flash_fabric-attached_storage_a900 | - |
| netapp | all_flash_fabric-attached_storage_500f | * |
| intel | core_i7-11700f_firmware | - |
| redhat | enterprise_linux | 9.0 |
| intel | xeon_silver_4210_firmware | - |
| intel | core_i3-10100_firmware | - |
| intel | xeon_platinum_9282_firmware | - |
| intel | core_i7-9700t_firmware | - |
| intel | xeon_gold_6226_firmware | - |
| intel | core_i5-7287u_firmware | - |
| intel | core_i7-8706g_firmware | - |
| intel | xeon_w-2275_firmware | - |
| intel | xeon_gold_6338t_firmware | - |
| intel | xeon_w-1290_firmware | - |
| intel | xeon_e-2388g_firmware | - |
| intel | core_i7-8700_firmware | - |
| intel | celeron_g5920_firmware | - |
| intel | core_i5-8300h_firmware | - |
| intel | core_i5-7400_firmware | - |
| intel | xeon_platinum_8276_firmware | - |
| intel | celeron_g5905_firmware | - |
| intel | xeon_platinum_8380hl_firmware | - |
| intel | xeon_w-3235_firmware | - |
| intel | core_i3-8100f_firmware | - |
| intel | xeon_platinum_8260_firmware | - |
| intel | xeon_w-10885m_firmware | - |
| intel | core_i7-8550u_firmware | - |
| intel | core_i7-8500y_firmware | - |
| intel | core_i5-8400h_firmware | - |
| intel | core_i5-1145g7e_firmware | - |
| intel | xeon_w-1350_firmware | - |
| intel | xeon_w-11155mle_firmware | - |
| intel | xeon_e-2278g_firmware | - |
| intel | xeon_platinum_8260l_firmware | - |
| intel | core_i3-7350k_firmware | - |
| intel | xeon_silver_4210r_firmware | - |
| intel | xeon_e-2146g_firmware | - |
| intel | core_i9-9990xe_firmware | - |
| intel | xeon_platinum_9221_firmware | - |
| intel | xeon_w-1290p_firmware | - |
| intel | xeon_gold_5218r_firmware | - |
| intel | core_i5-11600t_firmware | - |
| intel | xeon_e-2378g_firmware | - |
| intel | celeron_g5900t_firmware | - |
| intel | core_i5-8259u_firmware | - |
| intel | xeon_e3-1275_v6_firmware | - |
| intel | xeon_e-2186g_firmware | - |
| intel | pentium_gold_g6500_firmware | - |
| intel | core_i7-7700_firmware | - |
| intel | core_i3-10110u_firmware | - |
| intel | xeon_d-2796te_firmware | - |
| intel | core_i3-7100e_firmware | - |
| intel | xeon_gold_5318h_firmware | - |
| intel | xeon_gold_5320h_firmware | - |
| intel | xeon_gold_6238_firmware | - |
| debian | debian_linux | 12.0 |
| intel | core_i5-7600k_firmware | - |
| intel | xeon_e-2314_firmware | - |
| intel | core_i5-9600kf_firmware | - |
| intel | core_i3-1115g4e_firmware | - |
| intel | xeon_e-2124g_firmware | - |
| intel | core_i3-7300_firmware | - |
| intel | core_i9-11900k_firmware | - |
| intel | pentium_gold_g5500t_firmware | - |
| intel | core_i3-7320t_firmware | - |
| intel | core_i7-11370h_firmware | - |
| intel | core_i3-7120t_firmware | - |
| intel | xeon_w-2135_firmware | - |
| intel | core_i5-8305g_firmware | - |
| intel | core_i7-7660u_firmware | - |
| intel | xeon_e3-1505l_v6_firmware | - |
| intel | xeon_silver_4215r_firmware | - |
| intel | core_i3-10300t_firmware | - |
| intel | core_i5-11260h_firmware | - |
| intel | xeon_e-2226g_firmware | - |
| intel | core_i5-8500_firmware | - |
| intel | pentium_gold_g6505t_firmware | - |
| intel | core_i7-7600u_firmware | - |
| intel | core_i9-7940x_firmware | - |
| intel | xeon_platinum_9222_firmware | - |
| intel | core_i3-8100_firmware | - |
| intel | core_i3-9300t_firmware | - |
| intel | core_i7-1160g7_firmware | - |
| intel | core_i9-11980hk_firmware | - |
| intel | core_i5-1130g7_firmware | - |
| intel | core_i9-10885h_firmware | - |
| intel | xeon_bronze_3206r_firmware | - |
Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| debian | debian_linux | 11.0 |
| xen | xen | - |
| fedoraproject | fedora | 35 |
Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder. This in turn can feed a negative value into logic not expecting a negative value, resulting in unexpected exceptions being thrown. The unexpected exception is not handled suitably, creating a busy-loop trying (and failing) to take the bad packet out of the xenstore ring.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| fedoraproject | fedora | 36 |
| xen | xen | 4.16 |
Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XS_RELEASE will have the same impact.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.17.0 |
x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| xen | xen | * |
| fedoraproject | fedora | 38 |
x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 38 |
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H | 3.9 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 38 |
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H | 2.0 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 37 |
| xen | xen | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 38 |
x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.17.0 |
| fedoraproject | fedora | 38 |
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | 4.17 |
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@wordfence.com | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| adsanityplugin | adsanity | * |
| xen | xen | - |
A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 39 |
| amd | epyc_7551p_firmware | - |
| amd | athlon_pro_300ge_firmware | - |
| debian | debian_linux | 10.0 |
| amd | athlon_gold_3150g_firmware | - |
| xen | xen | - |
| amd | epyc_7401_firmware | - |
| microsoft | windows_server_2008 | r2 |
| amd | athlon_silver_pro_3125ge_firmware | - |
| amd | ryzen_5_pro_3350g_firmware | - |
| amd | epyc_7501_firmware | - |
| microsoft | windows_11_23h2 | * |
| microsoft | windows_server_2008 | - |
| amd | ryzen_5_pro_3400ge_firmware | - |
| amd | epyc_7551_firmware | - |
| amd | ryzen_5_pro_3400g_firmware | - |
| amd | epyc_7451_firmware | - |
| microsoft | windows_10_22h2 | * |
| amd | athlon_silver_3050ge_firmware | - |
| amd | ryzen_5_3400g_firmware | - |
| microsoft | windows_10_1809 | * |
| microsoft | windows_server_2016 | * |
| microsoft | windows_server_2019 | * |
| amd | epyc_7571_firmware | - |
| amd | epyc_7281_firmware | - |
| amd | ryzen_5_pro_3350ge_firmware | - |
| amd | ryzen_3_pro_3200ge_firmware | - |
| amd | epyc_7351p_firmware | - |
| microsoft | windows_11_22h2 | * |
| amd | epyc_7301_firmware | - |
| microsoft | windows_10_1607 | * |
| amd | epyc_7601_firmware | - |
| amd | epyc_7351_firmware | - |
| amd | epyc_7261_firmware | - |
| microsoft | windows_server_2022_23h2 | * |
| amd | ryzen_3_3200ge_firmware | - |
| amd | athlon_gold_pro_3150g_firmware | - |
| fedoraproject | fedora | 37 |
| debian | debian_linux | 12.0 |
| microsoft | windows_10_1507 | * |
| amd | ryzen_3_pro_3200g_firmware | - |
| amd | athlon_gold_pro_3150ge_firmware | - |
| microsoft | windows_server_2012 | - |
| microsoft | windows_10_21h2 | * |
| fedoraproject | fedora | 38 |
| amd | athlon_gold_3150ge_firmware | - |
| amd | epyc_7251_firmware | - |
| amd | epyc_7371_firmware | - |
| microsoft | windows_11_21h2 | * |
| amd | epyc_7401p_firmware | - |
| debian | debian_linux | 11.0 |
| amd | ryzen_3_3200g_firmware | - |
| microsoft | windows_server_2012 | r2 |
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| amd | ryzen_3_pro_4450u_firmware | - |
| amd | ryzen_5_3600xt_firmware | - |
| amd | ryzen_5_5500u_firmware | - |
| amd | epyc_7252_firmware | - |
| amd | ryzen_5_3500_firmware | - |
| amd | ryzen_7_5700u_firmware | - |
| amd | epyc_7282_firmware | - |
| amd | ryzen_3_7320u_firmware | - |
| debian | debian_linux | 10.0 |
| amd | epyc_7402p_firmware | - |
| amd | epyc_7f32_firmware | - |
| amd | epyc_7702_firmware | - |
| amd | ryzen_7_3800xt_firmware | - |
| amd | epyc_7642_firmware | - |
| amd | ryzen_5_pro_4650g_firmware | - |
| amd | ryzen_3_pro_4200g_firmware | - |
| amd | ryzen_threadripper_pro_3955wx_firmware | - |
| amd | ryzen_5_3600x_firmware | - |
| amd | epyc_7f72_firmware | - |
| amd | ryzen_3_4300g_firmware | - |
| amd | epyc_7402_firmware | - |
| amd | ryzen_threadripper_pro_3995wx_firmware | - |
| amd | ryzen_5_4600g_firmware | - |
| amd | ryzen_9_3900xt_firmware | - |
| amd | ryzen_7_pro_4750u_firmware | - |
| amd | ryzen_threadripper_3960x_firmware | - |
| amd | ryzen_9_pro_3900_firmware | - |
| amd | ryzen_3_3300x_firmware | - |
| amd | epyc_7232p_firmware | - |
| amd | epyc_7272_firmware | - |
| amd | epyc_7h12_firmware | - |
| xen | xen | 4.15.0 |
| amd | ryzen_5_3500x_firmware | - |
| xen | xen | 4.14.0 |
| amd | epyc_7302p_firmware | - |
| amd | ryzen_3_pro_4350ge_firmware | - |
| amd | ryzen_7_3700x_firmware | - |
| amd | athlon_gold_7220u_firmware | - |
| amd | ryzen_5_4600ge_firmware | - |
| amd | epyc_7702p_firmware | - |
| debian | debian_linux | 12.0 |
| amd | epyc_7542_firmware | - |
| amd | epyc_7662_firmware | - |
| amd | epyc_7302_firmware | - |
| amd | ryzen_threadripper_pro_3945wx_firmware | - |
| amd | epyc_7502p_firmware | - |
| xen | xen | 4.16.0 |
| amd | ryzen_7_4700ge_firmware | - |
| amd | epyc_7742_firmware | - |
| amd | ryzen_3_pro_4350g_firmware | - |
| amd | ryzen_3_4300ge_firmware | - |
| amd | ryzen_threadripper_pro_3975wx_firmware | - |
| amd | ryzen_7_pro_4750g_firmware | - |
| amd | ryzen_5_7520u_firmware | - |
| amd | ryzen_3_3100_firmware | - |
| amd | epyc_7552_firmware | - |
| amd | ryzen_9_3900_firmware | - |
| amd | ryzen_5_3600_firmware | - |
| amd | ryzen_threadripper_3990x_firmware | - |
| amd | epyc_7352_firmware | - |
| amd | ryzen_3_5300u_firmware | - |
| amd | ryzen_5_pro_4650ge_firmware | - |
| amd | ryzen_7_3800x_firmware | - |
| amd | epyc_7262_firmware | - |
| amd | epyc_7532_firmware | - |
| amd | epyc_7f52_firmware | - |
| amd | ryzen_9_3900x_firmware | - |
| xen | xen | 4.17.0 |
| amd | epyc_7502_firmware | - |
| amd | ryzen_5_pro_4400g_firmware | - |
| debian | debian_linux | 11.0 |
| amd | ryzen_threadripper_3970x_firmware | - |
| amd | ryzen_7_4700g_firmware | - |
| amd | ryzen_9_3950x_firmware | - |
| amd | ryzen_7_pro_4750ge_firmware | - |
| amd | epyc_7452_firmware | - |
The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| debian | debian_linux | 10.0 |
| xen | xen | * |
Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| arm | cortex-a77_firmware | r0p0 |
| arm | cortex-a77_firmware | r1p0 |
| xen | xen | * |
Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | * |
| xen | xen | - |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. CVE-2023-4949 refers to the original issue in the upstream grub project ("An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.") CVE-2023-34325 refers specifically to the vulnerabilities in Xen's copy of libfsimage, which is decended from a very old version of grub.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.0 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-437, but the approach was not sufficient.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 39 |
| xen | xen | * |
Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 39 |
| xen | xen | * |
Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 40 |
| xen | xen | * |
Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 40 |
| xen | xen | * |
| fedoraproject | fedora | 38 |
An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve-coordination@google.com | 8.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H | 1.5 | 6.0 |
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| gnu | grub | * |
| xen | xen | - |
Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 40 |
| xen | xen | * |
| fedoraproject | fedora | 38 |
An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories (SRs). The metadata itself is stored in a Virtual Disk Image (VDI) inside an SR. This is used for two purposes; a general backup of metadata (e.g. to recover from a host failure if the filer is still good), and Portable SRs (e.g. using an external hard drive to move VMs to another host). Metadata is only restored as an explicit administrator action, but occurs in cases where the host has no information about the SR, and must locate the metadata VDI in order to retrieve the metadata. The metadata VDI is located by searching (in UUID alphanumeric order) each VDI, mounting it, and seeing if there is a suitable metadata file present. The first matching VDI is deemed to be the metadata VDI, and is restored from. In the general case, the content of VDIs are controlled by the VM owner, and should not be trusted by the host administrator. A malicious guest can manipulate its disk to appear to be a metadata backup. A guest cannot choose the UUIDs of its VDIs, but a guest with one disk has a 50% chance of sorting ahead of the legitimate metadata backup. A guest with two disks has a 75% chance, etc.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 3.8 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 2.0 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xapi | * |
Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | - |
In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memory (plus some further constraints which aren't relevant here). When emulating the 2nd access, the lock that is already being held would be attempted to be re-acquired, resulting in a deadlock. This deadlock was already found when the code was first introduced, but was analysed incorrectly and the fix was incomplete. Analysis in light of the new finding cannot find a way to make the existing locking discipline work. In staging, this logic has all been removed because it was discovered to be accidentally disabled since Xen 4.7. Therefore, we are fixing the locking problem by backporting the removal of most of the feature. Note that even with the feature disabled, the lock would still be acquired for any accesses to the VGA MMIO region.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | 2.0 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |
Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | - |
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | 1.4 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xen | xen | * |