Search criteria
489 vulnerabilities by Xen
CVE-2025-58149 (GCVE-0-2025-58149)
Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13
VLAI?
Summary
When passing through PCI devices, the detach logic in libxl won't remove
access permissions to any 64bit memory BARs the device might have. As a
result a domain can still have access any 64bit memory BAR when such
device is no longer assigned to the domain.
For PV domains the permission leak allows the domain itself to map the memory
in the page-tables. For HVM it would require a compromised device model or
stubdomain to map the leaked memory into the HVM domain p2m.
Severity ?
7.5 (High)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
Credits
This issue was discovered by Jiqian Chen of AMD and diagnosed as a
security issue by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:24:29.854834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:24:43.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:31.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-476.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/24/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-476"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.0 and newer are vulnerable.\n\nOnly PV guests with PCI passthrough devices can leverage the vulnerability.\n\nOnly domains whose PCI devices are managed by the libxl library are affected.\nThis includes the xl toolstack and xapi, which uses the xl toolstack when\ndealing with PCI devices.\n\nHVM guests are also affected, but accessing the leaked memory requires an\nadditional compromised component on the system."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jiqian Chen of AMD and diagnosed as a\nsecurity issue by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-10-24T12:13:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When passing through PCI devices, the detach logic in libxl won\u0027t remove\naccess permissions to any 64bit memory BARs the device might have. As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables. For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious PV guest can access memory of PCI devices no longer\nassigned to it."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:39.536Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-476.html"
}
],
"title": "Incorrect removal of permissions on PCI device unplug",
"workarounds": [
{
"lang": "en",
"value": "Not doing hot unplug of PCI devices will avoid the vulnerability.\n\nPassing through PCI devices to HVM domains only will also limit the impact, as\nan attacker would require another compromised component to exploit it."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58149",
"datePublished": "2025-10-31T11:50:39.536Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:31.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58148 (GCVE-0-2025-58148)
Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.
* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.
* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.
Severity ?
7.5 (High)
Assigner
References
Credits
This issue was discovered by Teddy Astie of Vates
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:25:18.838278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:25:21.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:30.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-475.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-475"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.15 and newer are vulnerable. Versions 4.14 and older are\nnot vulnerable.\n\nOnly x86 HVM guests which have Viridian enabled can leverage the\nvulnerability.\n\nWith the `xl` toolstack, this means any `viridian=` setting in the VM\u0027s\nconfiguration file.\n\nNote - despite:\n\n `viridian=[\"!hcall_remote_tlb_flush\", \"!hcall_ipi\", \"!ex_processor_masks\"]`\n\nbeing documented to turns off the relevant functionality, this\nconfiguration does not block the relevant hypercalls."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates"
}
],
"datePublic": "2025-10-21T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen\u0027s format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d-\u003evcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious guest can cause Denial of Service (DoS) affecting\nthe entire host, information leaks, or elevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:28.407Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-475.html"
}
],
"title": "x86: Incorrect input sanitisation in Viridian hypercalls",
"workarounds": [
{
"lang": "en",
"value": "Not enabling Viridian will avoid the issuse."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58148",
"datePublished": "2025-10-31T11:50:28.407Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:30.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58147 (GCVE-0-2025-58147)
Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.
* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.
* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.
Severity ?
7.5 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Credits
This issue was discovered by Teddy Astie of Vates
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T17:45:24.503747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T17:45:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:28.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-475.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-475"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.15 and newer are vulnerable. Versions 4.14 and older are\nnot vulnerable.\n\nOnly x86 HVM guests which have Viridian enabled can leverage the\nvulnerability.\n\nWith the `xl` toolstack, this means any `viridian=` setting in the VM\u0027s\nconfiguration file.\n\nNote - despite:\n\n `viridian=[\"!hcall_remote_tlb_flush\", \"!hcall_ipi\", \"!ex_processor_masks\"]`\n\nbeing documented to turns off the relevant functionality, this\nconfiguration does not block the relevant hypercalls."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates"
}
],
"datePublic": "2025-10-21T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen\u0027s format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d-\u003evcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious guest can cause Denial of Service (DoS) affecting\nthe entire host, information leaks, or elevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:28.282Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-475.html"
}
],
"title": "x86: Incorrect input sanitisation in Viridian hypercalls",
"workarounds": [
{
"lang": "en",
"value": "Not enabling Viridian will avoid the issuse."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58147",
"datePublished": "2025-10-31T11:50:28.282Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:28.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58144 (GCVE-0-2025-58144)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
Severity ?
7.5 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Credits
This issue was discovered by Jan Beulich of SUSE.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:18:50.824988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:38:26.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:26.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-473.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-473"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected. x86 systems are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling. A NULL pointer de-reference could result on a release\nbuild. This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed). Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated. This is CVE-2025-58145."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host. Privilege escalation and information\nleaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:36.284Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
}
],
"title": "Arm issues with page refcounting",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58144",
"datePublished": "2025-09-11T14:05:36.284Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:26.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58145 (GCVE-0-2025-58145)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
Severity ?
7.5 (High)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Credits
This issue was discovered by Jan Beulich of SUSE.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:39:37.372975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:39:41.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:27.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-473.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-473"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected. x86 systems are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling. A NULL pointer de-reference could result on a release\nbuild. This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed). Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated. This is CVE-2025-58145."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host. Privilege escalation and information\nleaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:36.380Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
}
],
"title": "Arm issues with page refcounting",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58145",
"datePublished": "2025-09-11T14:05:36.380Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:27.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58142 (GCVE-0-2025-58142)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Severity ?
9.8 (Critical)
CWE
- CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference
Assigner
References
Credits
This issue was discovered by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:24:28.317871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-395",
"description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:41:07.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:23.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.649Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58142",
"datePublished": "2025-09-11T14:05:29.649Z",
"dateReserved": "2025-08-26T06:48:41.442Z",
"dateUpdated": "2025-11-04T21:13:23.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58143 (GCVE-0-2025-58143)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Severity ?
9.8 (Critical)
CWE
- CWE-366 - Race Condition within a Thread
Assigner
References
Credits
This issue was discovered by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:21:09.042615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-366",
"description": "CWE-366 Race Condition within a Thread",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:41:56.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:24.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.729Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58143",
"datePublished": "2025-09-11T14:05:29.729Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:24.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27466 (GCVE-0-2025-27466)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:09
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Severity ?
9.8 (Critical)
CWE
- CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference
Assigner
References
Credits
This issue was discovered by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:25:53.637084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-395",
"description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:40:33.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:51.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.525Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27466",
"datePublished": "2025-09-11T14:05:29.525Z",
"dateReserved": "2025-02-26T09:16:54.462Z",
"dateUpdated": "2025-11-04T21:09:51.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1713 (GCVE-0-2025-1713)
Vulnerability from cvelistv5 – Published: 2025-07-17 13:59 – Updated: 2025-07-17 14:21
VLAI?
Summary
When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.
Severity ?
7.5 (High)
CWE
- CWE-833 - Deadlock
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-07-17T14:04:25.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-467.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/28/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-1713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:17:20.052947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-833",
"description": "CWE-833 Deadlock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:21:42.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-467"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.0 and later are affected. Xen versions 3.4 and earlier\nare not directly affected, but had other issues.\n\nSystems with Intel IOMMU hardware (VT-d) are affected. Systems using\nAMD or non-x86 hardware are not affected.\n\nOnly systems where certain kinds of devices are passed through to an\nunprivileged guest are vulnerable."
}
],
"datePublic": "2025-02-27T12:52:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When setting up interrupt remapping for legacy PCI(-X) devices,\nincluding PCI(-X) bridges, a lookup of the upstream bridge is required.\nThis lookup, itself involving acquiring of a lock, is done in a context\nwhere acquiring that lock is unsafe. This can lead to a deadlock."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The passing through of certain kinds of devices to an unprivileged guest\ncan result in a Denial of Service (DoS) affecting the entire host.\n\nNote: Normal usage of such devices by a privileged domain can also\n trigger the issue. In such a scenario, the deadlock is not\n considered a security issue, but just a plain bug."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T13:59:46.231Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-467.html"
}
],
"title": "deadlock potential with VT-d and legacy PCI device pass-through",
"workarounds": [
{
"lang": "en",
"value": "Avoiding the passing through of the affected device types will avoid\nthe vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-1713",
"datePublished": "2025-07-17T13:59:46.231Z",
"dateReserved": "2025-02-26T09:04:42.837Z",
"dateUpdated": "2025-07-17T14:21:42.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27465 (GCVE-0-2025-27465)
Vulnerability from cvelistv5 – Published: 2025-07-16 09:08 – Updated: 2025-11-04 21:09
VLAI?
Summary
Certain instructions need intercepting and emulating by Xen. In some
cases Xen emulates the instruction by replaying it, using an executable
stub. Some instructions may raise an exception, which is supposed to be
handled gracefully. Certain replayed instructions have additional logic
to set up and recover the changes to the arithmetic flags.
For replayed instructions where the flags recovery logic is used, the
metadata for exception handling was incorrect, preventing Xen from
handling the the exception gracefully, treating it as fatal instead.
Severity ?
4.3 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
Credits
This issue was discovered by Andrew Cooper of XenServer.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T20:46:06.289437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T15:00:57.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:50.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-470.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/01/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-470"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.9 and onwards are vulnerable. Xen 4.8 and older are not\nvulnerable.\n\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of XenServer."
}
],
"datePublic": "2025-07-01T11:56:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Certain instructions need intercepting and emulating by Xen. In some\ncases Xen emulates the instruction by replaying it, using an executable\nstub. Some instructions may raise an exception, which is supposed to be\nhandled gracefully. Certain replayed instructions have additional logic\nto set up and recover the changes to the arithmetic flags.\n\nFor replayed instructions where the flags recovery logic is used, the\nmetadata for exception handling was incorrect, preventing Xen from\nhandling the the exception gracefully, treating it as fatal instead."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T09:08:39.931Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-470.html"
}
],
"title": "x86: Incorrect stubs exception handling for flags recovery",
"workarounds": [
{
"lang": "en",
"value": "There are no mitigations."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27465",
"datePublished": "2025-07-16T09:08:39.931Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2025-11-04T21:09:50.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2201 (GCVE-0-2024-2201)
Vulnerability from cvelistv5 – Published: 2024-12-19 20:28 – Updated: 2025-01-09 16:40
VLAI?
Summary
A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.
Severity ?
4.7 (Medium)
CWE
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:51:54.984364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T16:40:32.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "See advisory \"x86: Native Branch History Injection\""
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1423",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T20:29:32.134Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/155143"
},
{
"url": "https://github.com/vusec/inspectre-gadget?tab=readme-ov-file"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/07/7"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-456.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QKNCPX7CJUK4I6BRGABAUQK2DMQZUCA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5OK6MH75S7YWD34EWW7QIZTS627RIE3/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYAZ7P6YFJ2E3FHKAGIKHWS46KYMMTZH/"
},
{
"url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.htm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-2201",
"x_generator": {
"engine": "VINCE 3.0.11",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-2201"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-2201",
"datePublished": "2024-12-19T20:28:31.596Z",
"dateReserved": "2024-03-05T19:12:39.649Z",
"dateUpdated": "2025-01-09T16:40:32.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45819 (GCVE-0-2024-45819)
Vulnerability from cvelistv5 – Published: 2024-12-19 12:00 – Updated: 2024-12-31 18:57
VLAI?
Summary
PVH guests have their ACPI tables constructed by the toolstack. The
construction involves building the tables in local memory, which are
then copied into guest memory. While actually used parts of the local
memory are filled in correctly, excess space that is being allocated is
left with its prior contents.
Severity ?
5.5 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Credits
This issue was discovered by Jason Andryuk of AMD.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-19T12:04:50.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-464.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:56:31.915960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T18:57:41.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-464"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.8 and onwards are vulnerable. Xen 4.7 and older are not\nvulnerable.\n\nOnly x86 systems running PVH guests are vulnerable. Architectures other\nthan x86 are not vulnerable.\n\nOnly PVH guests can leverage the vulnerability. HVM and PV guests\ncannot leverage the vulnerability. Note that PV guests when run inside\nthe (PVH) shim can\u0027t leverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jason Andryuk of AMD."
}
],
"datePublic": "2024-11-12T12:00:00Z",
"descriptions": [
{
"lang": "en",
"value": "PVH guests have their ACPI tables constructed by the toolstack. The\nconstruction involves building the tables in local memory, which are\nthen copied into guest memory. While actually used parts of the local\nmemory are filled in correctly, excess space that is being allocated is\nleft with its prior contents."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest may be able to access sensitive information\npertaining to the host, control domain, or other guests."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T12:00:50.271Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-464.html"
}
],
"title": "libxl leaks data to PVH guests via ACPI tables",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or HVM guests will avoid this vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-45819",
"datePublished": "2024-12-19T12:00:50.271Z",
"dateReserved": "2024-09-09T14:43:11.826Z",
"dateUpdated": "2024-12-31T18:57:41.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45818 (GCVE-0-2024-45818)
Vulnerability from cvelistv5 – Published: 2024-12-19 12:00 – Updated: 2024-12-31 19:01
VLAI?
Summary
The hypervisor contains code to accelerate VGA memory accesses for HVM
guests, when the (virtual) VGA is in "standard" mode. Locking involved
there has an unusual discipline, leaving a lock acquired past the
return from the function that acquired it. This behavior results in a
problem when emulating an instruction with two memory accesses, both of
which touch VGA memory (plus some further constraints which aren't
relevant here). When emulating the 2nd access, the lock that is already
being held would be attempted to be re-acquired, resulting in a
deadlock.
This deadlock was already found when the code was first introduced, but
was analysed incorrectly and the fix was incomplete. Analysis in light
of the new finding cannot find a way to make the existing locking
discipline work.
In staging, this logic has all been removed because it was discovered
to be accidentally disabled since Xen 4.7. Therefore, we are fixing the
locking problem by backporting the removal of most of the feature. Note
that even with the feature disabled, the lock would still be acquired
for any accesses to the VGA MMIO region.
Severity ?
6.5 (Medium)
CWE
- CWE-667 - Improper Locking
Assigner
References
Credits
This issue was discovered by Manuel Andreas of Technical University of
Munich.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-19T12:04:41.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/2"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-463.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:59:24.741670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T19:01:43.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-463"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.6 through 4.19 are vulnerable. Staging (4.20 dev) is\nnot vulnerable; as noted above, the functionality was already removed\nprior to the discovery of this issue.\n\nOnly x86 systems running HVM guests are vulnerable. Architectures other\nthan x86 are not vulnerable.\n\nOnly HVM guests can leverage the vulnerability. PVH and PV guests\ncannot leverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Manuel Andreas of Technical University of\nMunich."
}
],
"datePublic": "2024-11-12T12:00:00Z",
"descriptions": [
{
"lang": "en",
"value": "The hypervisor contains code to accelerate VGA memory accesses for HVM\nguests, when the (virtual) VGA is in \"standard\" mode. Locking involved\nthere has an unusual discipline, leaving a lock acquired past the\nreturn from the function that acquired it. This behavior results in a\nproblem when emulating an instruction with two memory accesses, both of\nwhich touch VGA memory (plus some further constraints which aren\u0027t\nrelevant here). When emulating the 2nd access, the lock that is already\nbeing held would be attempted to be re-acquired, resulting in a\ndeadlock.\n\nThis deadlock was already found when the code was first introduced, but\nwas analysed incorrectly and the fix was incomplete. Analysis in light\nof the new finding cannot find a way to make the existing locking\ndiscipline work.\n\nIn staging, this logic has all been removed because it was discovered\nto be accidentally disabled since Xen 4.7. Therefore, we are fixing the\nlocking problem by backporting the removal of most of the feature. Note\nthat even with the feature disabled, the lock would still be acquired\nfor any accesses to the VGA MMIO region."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A (not necessarily malicious) HVM guest kernel can lock up the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T12:00:41.413Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-463.html"
}
],
"title": "Deadlock in x86 HVM standard VGA handling",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or PVH guests will avoid this vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-45818",
"datePublished": "2024-12-19T12:00:41.413Z",
"dateReserved": "2024-09-09T14:43:11.826Z",
"dateUpdated": "2024-12-31T19:01:43.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45817 (GCVE-0-2024-45817)
Vulnerability from cvelistv5 – Published: 2024-09-25 10:31 – Updated: 2024-11-20 21:33
VLAI?
Summary
In x86's APIC (Advanced Programmable Interrupt Controller) architecture,
error conditions are reported in a status register. Furthermore, the OS
can opt to receive an interrupt when a new error occurs.
It is possible to configure the error interrupt with an illegal vector,
which generates an error when an error interrupt is raised.
This case causes Xen to recurse through vlapic_error(). The recursion
itself is bounded; errors accumulate in the the status register and only
generate an interrupt when a new status bit becomes set.
However, the lock protecting this state in Xen will try to be taken
recursively, and deadlock.
Severity ?
7.3 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Credits
This issue was discovered after a BUGSENG team working on MISRA C
compliance of Xen pointed attention to ECLAIR reports for MISRA C Rule
17.2 (Functions shall not call themselves, either directly or
indirectly).
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-25T11:03:12.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-462.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:35:45.402325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T21:33:14.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-462"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.5 and onwards are vulnerable. Xen 4.4 and older are not vulnerable.\n\nOnly x86 systems running HVM or PVH guests are vulnerable.\nArchitectures other than x86 are not vulnerable.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered after a BUGSENG team working on MISRA C\ncompliance of Xen pointed attention to ECLAIR reports for MISRA C Rule\n17.2 (Functions shall not call themselves, either directly or\nindirectly)."
}
],
"datePublic": "2024-09-24T10:46:00Z",
"descriptions": [
{
"lang": "en",
"value": "In x86\u0027s APIC (Advanced Programmable Interrupt Controller) architecture,\nerror conditions are reported in a status register. Furthermore, the OS\ncan opt to receive an interrupt when a new error occurs.\n\nIt is possible to configure the error interrupt with an illegal vector,\nwhich generates an error when an error interrupt is raised.\n\nThis case causes Xen to recurse through vlapic_error(). The recursion\nitself is bounded; errors accumulate in the the status register and only\ngenerate an interrupt when a new status bit becomes set.\n\nHowever, the lock protecting this state in Xen will try to be taken\nrecursively, and deadlock."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious HVM or PVH guest can deadlock Xen, leading to a\nDoS."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T10:31:57.371Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-462.html"
}
],
"title": "x86: Deadlock in vlapic_error()",
"workarounds": [
{
"lang": "en",
"value": "Not running untrusted HVM or PVH VMs will avoid this vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-45817",
"datePublished": "2024-09-25T10:31:57.371Z",
"dateReserved": "2024-09-09T14:43:11.826Z",
"dateUpdated": "2024-11-20T21:33:14.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31146 (GCVE-0-2024-31146)
Vulnerability from cvelistv5 – Published: 2024-09-25 10:31 – Updated: 2024-09-25 13:24
VLAI?
Summary
When multiple devices share resources and one of them is to be passed
through to a guest, security of the entire system and of respective
guests individually cannot really be guaranteed without knowing
internals of any of the involved guests. Therefore such a configuration
cannot really be security-supported, yet making that explicit was so far
missing.
Resources the sharing of which is known to be problematic include, but
are not limited to
- - PCI Base Address Registers (BARs) of multiple devices mapping to the
same page (4k on x86),
- - INTx lines.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-25T11:02:55.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-461.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/14/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:xen:xen:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xen",
"vendor": "xen",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:14:46.996097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:24:47.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-461"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All systems making use of PCI pass-through are in principle vulnerable,\nwhen any kind of resource is shared. Just to re-iterate, even in the\nabsence of resource sharing caveats apply to passing through of PCI\ndevices to entirely untrusted guests."
}
],
"datePublic": "2024-08-13T12:00:00Z",
"descriptions": [
{
"lang": "en",
"value": "When multiple devices share resources and one of them is to be passed\nthrough to a guest, security of the entire system and of respective\nguests individually cannot really be guaranteed without knowing\ninternals of any of the involved guests. Therefore such a configuration\ncannot really be security-supported, yet making that explicit was so far\nmissing.\n\nResources the sharing of which is known to be problematic include, but\nare not limited to\n- - PCI Base Address Registers (BARs) of multiple devices mapping to the\n same page (4k on x86),\n- - INTx lines."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The precise effects when shared resources are in use are system, device,\nguest, and resource specific. None of privilege escalation, information\nleaks, or Denial of Service (DoS) can be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T10:31:51.154Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-461.html"
}
],
"title": "PCI device pass-through with shared resources",
"workarounds": [
{
"lang": "en",
"value": "Passing through only SR-IOV virtual functions or devices with well-\nseparated resources will avoid this particular vulnerability. Passing\nthrough all devices sharing a given resource to the same guest will also\navoid this particular vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-31146",
"datePublished": "2024-09-25T10:31:51.154Z",
"dateReserved": "2024-03-28T18:14:12.893Z",
"dateUpdated": "2024-09-25T13:24:47.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31145 (GCVE-0-2024-31145)
Vulnerability from cvelistv5 – Published: 2024-09-25 10:31 – Updated: 2024-09-25 13:29
VLAI?
Summary
Certain PCI devices in a system might be assigned Reserved Memory
Regions (specified via Reserved Memory Region Reporting, "RMRR") for
Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used
for platform tasks such as legacy USB emulation.
Since the precise purpose of these regions is unknown, once a device
associated with such a region is active, the mappings of these regions
need to remain continuouly accessible by the device. In the logic
establishing these mappings, error handling was flawed, resulting in
such mappings to potentially remain in place when they should have been
removed again. Respective guests would then gain access to memory
regions which they aren't supposed to have access to.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Credits
This issue was discovered by Teddy Astie of Vates and diagnosed as a
security issue by Jan Beulich of SUSE.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-25T11:02:50.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-460.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/14/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:xen:xen:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xen",
"vendor": "xen",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:27:44.216381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:29:33.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-460"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Only x86 systems passing PCI devices with RMRR/Unity regions through to\nguests are potentially affected.\n\nPCI devices listed in a vm.cfg file have error handling which causes `xl\ncreate` to abort and tear down the domain, and is thus believed to be\nsafe.\n\nPCI devices attached using `xl pci-attach` will result in the command\nreturning nonzero, but will not tear down the domain. VMs which\ncontinue to run after `xl pci-attach` has failed expose the\nvulnerability.\n\nFor x86 Intel hardware, Xen versions 4.0 and later are affected.\n\nFor all x86 hardware, Xen versions having the XSA-378 fixes applied /\nbackported are affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates and diagnosed as a\nsecurity issue by Jan Beulich of SUSE."
}
],
"datePublic": "2024-08-13T12:00:00Z",
"descriptions": [
{
"lang": "en",
"value": "Certain PCI devices in a system might be assigned Reserved Memory\nRegions (specified via Reserved Memory Region Reporting, \"RMRR\") for\nIntel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used\nfor platform tasks such as legacy USB emulation.\n\nSince the precise purpose of these regions is unknown, once a device\nassociated with such a region is active, the mappings of these regions\nneed to remain continuouly accessible by the device. In the logic\nestablishing these mappings, error handling was flawed, resulting in\nsuch mappings to potentially remain in place when they should have been\nremoved again. Respective guests would then gain access to memory\nregions which they aren\u0027t supposed to have access to."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The precise impact is system specific. Denial of Service (DoS)\naffecting the entire host or individual guests, privilege escalation,\nand information leaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T10:31:43.523Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-460.html"
}
],
"title": "error handling in x86 IOMMU identity mapping",
"workarounds": [
{
"lang": "en",
"value": "Assigning devices using the vm.cfg file for attachment at boot avoids\nthe vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-31145",
"datePublished": "2024-09-25T10:31:43.523Z",
"dateReserved": "2024-03-28T18:14:12.893Z",
"dateUpdated": "2024-09-25T13:29:33.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31143 (GCVE-0-2024-31143)
Vulnerability from cvelistv5 – Published: 2024-07-18 13:31 – Updated: 2025-04-26 20:03
VLAI?
Summary
An optional feature of PCI MSI called "Multiple Message" allows a
device to use multiple consecutive interrupt vectors. Unlike for MSI-X,
the setting up of these consecutive vectors needs to happen all in one
go. In this handling an error path could be taken in different
situations, with or without a particular lock held. This error path
wrongly releases the lock even when it is not currently held.
Severity ?
7.5 (High)
CWE
- CWE-832 - Unlock of a Resource that is not Locked
Assigner
References
Credits
This issue was discovered by Jan Beulich of SUSE.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-04-26T20:03:16.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-458.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/3"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-458.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xen",
"vendor": "xen",
"versions": [
{
"lessThan": "4.16",
"status": "affected",
"version": "4.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:31:44.467773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-832",
"description": "CWE-832 Unlock of a Resource that is not Locked",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T13:39:34.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-458"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.4 and newer are vulnerable. Xen versions 4.3 and older\nare not vulnerable.\n\nOnly x86 guest which have a multi-vector MSI capable device passed\nthrough to them can leverage the vulnerability.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE.\n"
}
],
"datePublic": "2024-07-16T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An optional feature of PCI MSI called \"Multiple Message\" allows a\ndevice to use multiple consecutive interrupt vectors. Unlike for MSI-X,\nthe setting up of these consecutive vectors needs to happen all in one\ngo. In this handling an error path could be taken in different\nsituations, with or without a particular lock held. This error path\nwrongly releases the lock even when it is not currently held.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, crashes, information\nleaks, or elevation of privilege all cannot be ruled out.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:31:31.244Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-458.html"
}
],
"title": "double unlock in x86 guest IRQ handling",
"workarounds": [
{
"lang": "en",
"value": "Not passing through multi-vector MSI capable devices to x86 guests will\navoid the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-31143",
"datePublished": "2024-07-18T13:31:31.244Z",
"dateReserved": "2024-03-28T18:14:12.892Z",
"dateUpdated": "2025-04-26T20:03:16.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31142 (GCVE-0-2024-31142)
Vulnerability from cvelistv5 – Published: 2024-05-16 13:39 – Updated: 2025-11-04 18:30
VLAI?
Summary
Because of a logical error in XSA-407 (Branch Type Confusion), the
mitigation is not applied properly when it is intended to be used.
XSA-434 (Speculative Return Stack Overflow) uses the same
infrastructure, so is equally impacted.
For more details, see:
https://xenbits.xen.org/xsa/advisory-407.html
https://xenbits.xen.org/xsa/advisory-434.html
Severity ?
7.5 (High)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
Credits
This issue was discovered by Andrew Cooper of XenServer.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T13:51:28.453648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T21:00:51.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:30:46.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-455.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5OK6MH75S7YWD34EWW7QIZTS627RIE3/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYAZ7P6YFJ2E3FHKAGIKHWS46KYMMTZH/"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-455.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-455"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All versions of Xen containing the XSA-407 fixes are vulnerable.\n\nSee XSAs 407 and 434 for details on which hardware is susceptible to\nBTC/SRSO.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of XenServer.\n"
}
],
"datePublic": "2024-04-09T16:29:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Because of a logical error in XSA-407 (Branch Type Confusion), the\nmitigation is not applied properly when it is intended to be used.\nXSA-434 (Speculative Return Stack Overflow) uses the same\ninfrastructure, so is equally impacted.\n\nFor more details, see:\n https://xenbits.xen.org/xsa/advisory-407.html\n https://xenbits.xen.org/xsa/advisory-434.html\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "XSAs 407 and 434 are unmitigated, even when the patches are in place.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T13:39:42.774Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-455.html"
}
],
"title": "x86: Incorrect logic for BTC/SRSO mitigations",
"workarounds": [
{
"lang": "en",
"value": "There are no mitigations.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-31142",
"datePublished": "2024-05-16T13:39:42.774Z",
"dateReserved": "2024-03-28T18:14:12.892Z",
"dateUpdated": "2025-11-04T18:30:46.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46842 (GCVE-0-2023-46842)
Vulnerability from cvelistv5 – Published: 2024-05-16 13:39 – Updated: 2025-11-04 17:12
VLAI?
Summary
Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes. This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.
When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation. Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers. For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.
Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall. When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.
Severity ?
6.5 (Medium)
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
Credits
This issue was discovered by Manuel Andreas of Technical University of
Munich.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T18:23:20.820059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:57:56.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:12:51.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-454.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-454.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5OK6MH75S7YWD34EWW7QIZTS627RIE3/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYAZ7P6YFJ2E3FHKAGIKHWS46KYMMTZH/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-454"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from at least 3.2 onwards are vulnerable. Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Manuel Andreas of Technical University of\nMunich.\n"
}
],
"datePublic": "2024-04-09T11:50:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and\nother modes. This in particular means that they may set registers used\nto pass 32-bit-mode hypercall arguments to values outside of the range\n32-bit code would be able to set them to.\n\nWhen processing of hypercalls takes a considerable amount of time,\nthe hypervisor may choose to invoke a hypercall continuation. Doing so\ninvolves putting (perhaps updated) hypercall arguments in respective\nregisters. For guests not running in 64-bit mode this further involves\na certain amount of translation of the values.\n\nUnfortunately internal sanity checking of these translated values\nassumes high halves of registers to always be clear when invoking a\nhypercall. When this is found not to be the case, it triggers a\nconsistency check in the hypervisor and causes a crash.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A HVM or PVH guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T13:39:26.183Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-454.html"
}
],
"title": "x86 HVM hypercalls may trigger Xen bug check",
"workarounds": [
{
"lang": "en",
"value": "Not using HVM / PVH guests will avoid the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46842",
"datePublished": "2024-05-16T13:39:26.183Z",
"dateReserved": "2023-10-27T07:55:35.333Z",
"dateUpdated": "2025-11-04T17:12:51.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46841 (GCVE-0-2023-46841)
Vulnerability from cvelistv5 – Published: 2024-03-20 10:40 – Updated: 2025-11-04 18:18
VLAI?
Summary
Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS).
CET-SS is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data
and return addresses are accompanied by so called "shadow stacks",
holding little more than return addresses. Shadow stacks aren't
writable by normal instructions, and upon function returns their
contents are used to check for possible manipulation of a return address
coming from the traditional stack.
In particular certain memory accesses need intercepting by Xen. In
various cases the necessary emulation involves kind of replaying of
the instruction. Such replaying typically involves filling and then
invoking of a stub. Such a replayed instruction may raise an
exceptions, which is expected and dealt with accordingly.
Unfortunately the interaction of both of the above wasn't right:
Recovery involves removal of a call frame from the (traditional) stack.
The counterpart of this operation for the shadow stack was missing.
Severity ?
6.5 (Medium)
Assigner
References
Credits
This issue was discovered by Jan Beulich of SUSE.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-25T16:09:38.636466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:53:05.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:18:57.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-451.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-451.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HES2IJXZY3H7HBPP4NVSVYYNGW254DMI/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-451"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.14 and onwards are vulnerable. Xen 4.13 and older are not\nvulnerable.\n\nOnly x86 systems with CET-SS enabled are vulnerable. x86 systems with\nCET-SS unavailable or disabled are not vulnerable. Arm systems are not\nvulnerable. See\nhttps://xenbits.xen.org/docs/latest/faq.html#tell-if-cet-is-active\nfor how to determine whether CET-SS is active.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2024-02-27T10:38:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Recent x86 CPUs offer functionality named Control-flow Enforcement\nTechnology (CET). A sub-feature of this are Shadow Stacks (CET-SS).\nCET-SS is a hardware feature designed to protect against Return Oriented\nProgramming attacks. When enabled, traditional stacks holding both data\nand return addresses are accompanied by so called \"shadow stacks\",\nholding little more than return addresses. Shadow stacks aren\u0027t\nwritable by normal instructions, and upon function returns their\ncontents are used to check for possible manipulation of a return address\ncoming from the traditional stack.\n\nIn particular certain memory accesses need intercepting by Xen. In\nvarious cases the necessary emulation involves kind of replaying of\nthe instruction. Such replaying typically involves filling and then\ninvoking of a stub. Such a replayed instruction may raise an\nexceptions, which is expected and dealt with accordingly.\n\nUnfortunately the interaction of both of the above wasn\u0027t right:\nRecovery involves removal of a call frame from the (traditional) stack.\nThe counterpart of this operation for the shadow stack was missing."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-23T03:06:14.246Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-451.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"
}
],
"title": "x86: shadow stack vs exceptions from emulation stubs",
"workarounds": [
{
"lang": "en",
"value": "While in principle it is possible to disable use of CET on capable\nsystems using the \"cet=no-shstk\" command line option, doing so disables\nan important security feature and may therefore not be advisable."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46841",
"datePublished": "2024-03-20T10:40:36.597Z",
"dateReserved": "2023-10-27T07:55:35.333Z",
"dateUpdated": "2025-11-04T18:18:57.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46840 (GCVE-0-2023-46840)
Vulnerability from cvelistv5 – Published: 2024-03-20 10:40 – Updated: 2025-11-04 18:18
VLAI?
Summary
Incorrect placement of a preprocessor directive in source code results
in logic that doesn't operate as intended when support for HVM guests is
compiled out of Xen.
Severity ?
4.1 (Medium)
Assigner
References
Credits
This issue was discovered by Teddy Astie of Vates
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:18:56.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-450.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-450.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T18:59:02.763689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T21:39:44.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-450"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.17 and onwards are vulnerable. Xen 4.16 and older are not\nvulnerable.\n\nOnly Xen running on x86 platforms with an Intel-compatible VT-d IOMMU is\nvulnerable. Platforms from other manufacturers, or platforms without a\nVT-d IOMMU are not vulnerable.\n\nOnly systems where PCI devices are passed through to untrusted or\nsemi-trusted guests are vulnerable. Systems which do not assign PCI\ndevices to untrusted guests are not vulnerable.\n\nXen is only vulnerable when CONFIG_HVM is disabled at build time. Most\ndeployments of Xen are expected to have CONFIG_HVM enabled at build\ntime, and would therefore not be vulnerable.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates\n"
}
],
"datePublic": "2024-01-30T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incorrect placement of a preprocessor directive in source code results\nin logic that doesn\u0027t operate as intended when support for HVM guests is\ncompiled out of Xen.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "When a device is removed from a domain, it is not properly quarantined\nand retains its access to the domain to which it was previously\nassigned.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T10:40:18.050Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-450.html"
}
],
"title": "VT-d: Failure to quarantine devices in !HVM builds",
"workarounds": [
{
"lang": "en",
"value": "There is no mitigation.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46840",
"datePublished": "2024-03-20T10:40:18.050Z",
"dateReserved": "2023-10-27T07:55:35.333Z",
"dateUpdated": "2025-11-04T18:18:56.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46839 (GCVE-0-2023-46839)
Vulnerability from cvelistv5 – Published: 2024-03-20 10:35 – Updated: 2025-11-04 18:18
VLAI?
Summary
PCI devices can make use of a functionality called phantom functions,
that when enabled allows the device to generate requests using the IDs
of functions that are otherwise unpopulated. This allows a device to
extend the number of outstanding requests.
Such phantom functions need an IOMMU context setup, but failure to
setup the context is not fatal when the device is assigned. Not
failing device assignment when such failure happens can lead to the
primary device being assigned to a guest, while some of the phantom
functions are assigned to a different domain.
Severity ?
5.3 (Medium)
Assigner
References
Credits
This issue was discovered by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:18:53.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-449.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-449.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T14:00:00.793454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T19:17:55.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-449"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Systems running all version of Xen are affected.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly systems using PCI passthrough of devices with phantom functions\nare affected.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"
}
],
"datePublic": "2024-01-30T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PCI devices can make use of a functionality called phantom functions,\nthat when enabled allows the device to generate requests using the IDs\nof functions that are otherwise unpopulated. This allows a device to\nextend the number of outstanding requests.\n\nSuch phantom functions need an IOMMU context setup, but failure to\nsetup the context is not fatal when the device is assigned. Not\nfailing device assignment when such failure happens can lead to the\nprimary device being assigned to a guest, while some of the phantom\nfunctions are assigned to a different domain.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Under certain circumstances a malicious guest assigned a PCI device\nwith phantom functions may be able to access memory from a previous\nowner of the device.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T10:35:52.532Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-449.html"
}
],
"title": "pci: phantom functions assigned to incorrect contexts",
"workarounds": [
{
"lang": "en",
"value": "There is no mitigation (other than not passing through PCI devices\nwith phantom functions to guests).\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46839",
"datePublished": "2024-03-20T10:35:52.532Z",
"dateReserved": "2023-10-27T07:55:35.332Z",
"dateUpdated": "2025-11-04T18:18:53.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2193 (GCVE-0-2024-2193)
Vulnerability from cvelistv5 – Published: 2024-03-15 18:03 – Updated: 2025-04-30 23:03
VLAI?
Summary
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.
Severity ?
5.7 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Impacted products
Credits
Thanks to Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam and Andrea Mambretti and Anil Kurmus from IBM Research Europe, Zurich for discovering and reporting this vulnerability.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T15:31:03.336472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T16:10:13.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-30T23:03:28.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/488902"
},
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xen.org/xsa/advisory-453.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vusec.net/projects/ghostrace/"
},
{
"tags": [
"x_transferred"
],
"url": "https://download.vusec.net/papers/ghostrace_sec24.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23"
},
{
"tags": [
"x_transferred"
],
"url": "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/488902"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-453.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CPU",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "See advisory AMD-SB-7016"
}
]
},
{
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "consult Xen advisory XSA-453"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam and Andrea Mambretti and Anil Kurmus from IBM Research Europe, Zurich for discovering and reporting this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:10:43.337Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/488902"
},
{
"url": "https://xenbits.xen.org/xsa/advisory-453.html"
},
{
"url": "https://www.vusec.net/projects/ghostrace/"
},
{
"url": "https://download.vusec.net/papers/ghostrace_sec24.pdf"
},
{
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23"
},
{
"url": "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace"
},
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/488902"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/12/14"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Speculative Race Condition impacts modern CPU architectures that support speculative execution, also known as GhostRace.",
"x_generator": {
"engine": "VINCE 2.1.11",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-2193"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-2193",
"datePublished": "2024-03-15T18:03:32.844Z",
"dateReserved": "2024-03-05T15:11:04.573Z",
"dateUpdated": "2025-04-30T23:03:28.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46837 (GCVE-0-2023-46837)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:36 – Updated: 2025-11-04 18:18
VLAI?
Summary
Arm provides multiple helpers to clean & invalidate the cache
for a given region. This is, for instance, used when allocating
guest memory to ensure any writes (such as the ones during scrubbing)
have reached memory before handing over the page to a guest.
Unfortunately, the arithmetics in the helpers can overflow and would
then result to skip the cache cleaning/invalidation. Therefore there
is no guarantee when all the writes will reach the memory.
This undefined behavior was meant to be addressed by XSA-437, but the
approach was not sufficient.
Severity ?
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
Credits
This issue was discovered by Michal Orzel from AMD.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:18:50.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-447.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-447.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-01T20:11:12.746031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T19:35:47.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-447"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Systems running all version of Xen are affected.\n\nOnly systems running Xen on Arm 32-bit are vulnerable. Xen on Arm 64-bit\nis not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Michal Orzel from AMD."
}
],
"datePublic": "2023-12-12T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Arm provides multiple helpers to clean \u0026 invalidate the cache\nfor a given region. This is, for instance, used when allocating\nguest memory to ensure any writes (such as the ones during scrubbing)\nhave reached memory before handing over the page to a guest.\n\nUnfortunately, the arithmetics in the helpers can overflow and would\nthen result to skip the cache cleaning/invalidation. Therefore there\nis no guarantee when all the writes will reach the memory.\n\nThis undefined behavior was meant to be addressed by XSA-437, but the\napproach was not sufficient."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A malicious guest may be able to read sensitive data from memory that\npreviously belonged to another guest."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T02:05:59.441Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-447.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/"
}
],
"title": "arm32: The cache may not be properly cleaned/invalidated (take two)",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46837",
"datePublished": "2024-01-05T16:36:10.881Z",
"dateReserved": "2023-10-27T07:55:35.332Z",
"dateUpdated": "2025-11-04T18:18:50.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46836 (GCVE-0-2023-46836)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:34 – Updated: 2025-11-04 19:25
VLAI?
Summary
The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative
Return Stack Overflow) are not IRQ-safe. It was believed that the
mitigations always operated in contexts with IRQs disabled.
However, the original XSA-254 fix for Meltdown (XPTI) deliberately left
interrupts enabled on two entry paths; one unconditionally, and one
conditionally on whether XPTI was active.
As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations
are not active together by default. Therefore, there is a race
condition whereby a malicious PV guest can bypass BTC/SRSO protections
and launch a BTC/SRSO attack against Xen.
Severity ?
4.7 (Medium)
Assigner
References
Credits
This issue was discovered by Andrew Cooper of XenServer.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:25:42.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-446.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-446.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:16:12.540203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:40:56.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-446"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All versions of Xen are vulnerable.\n\nXen is only vulnerable in default configurations on AMD and Hygon CPUs.\n\nXen is not believed to be vulnerable in default configurations on CPUs\nfrom other hardware vendors.\n\nOnly PV guests can leverage the vulnerability.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of XenServer.\n"
}
],
"datePublic": "2023-11-14T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative\nReturn Stack Overflow) are not IRQ-safe. It was believed that the\nmitigations always operated in contexts with IRQs disabled.\n\nHowever, the original XSA-254 fix for Meltdown (XPTI) deliberately left\ninterrupts enabled on two entry paths; one unconditionally, and one\nconditionally on whether XPTI was active.\n\nAs BTC/SRSO and Meltdown affect different CPU vendors, the mitigations\nare not active together by default. Therefore, there is a race\ncondition whereby a malicious PV guest can bypass BTC/SRSO protections\nand launch a BTC/SRSO attack against Xen.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker in a PV guest might be able to infer the contents of memory\nbelonging to other guests.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T16:34:59.036Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-446.html"
}
],
"title": "x86: BTC/SRSO fixes not fully effective",
"workarounds": [
{
"lang": "en",
"value": "Running only HVM or PVH VMs will avoid the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46836",
"datePublished": "2024-01-05T16:34:59.036Z",
"dateReserved": "2023-10-27T07:55:35.332Z",
"dateUpdated": "2025-11-04T19:25:42.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46835 (GCVE-0-2023-46835)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:34 – Updated: 2025-11-04 19:25
VLAI?
Summary
The current setup of the quarantine page tables assumes that the
quarantine domain (dom_io) has been initialized with an address width
of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.
However dom_io being a PV domain gets the AMD-Vi IOMMU page tables
levels based on the maximum (hot pluggable) RAM address, and hence on
systems with no RAM above the 512GB mark only 3 page-table levels are
configured in the IOMMU.
On systems without RAM above the 512GB boundary
amd_iommu_quarantine_init() will setup page tables for the scratch
page with 4 levels, while the IOMMU will be configured to use 3 levels
only, resulting in the last page table directory (PDE) effectively
becoming a page table entry (PTE), and hence a device in quarantine
mode gaining write access to the page destined to be a PDE.
Due to this page table level mismatch, the sink page the device gets
read/write access to is no longer cleared between device assignment,
possibly leading to data leaks.
Severity ?
5.5 (Medium)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Credits
This issue was discovered by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:25:41.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-445.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-445.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-12T04:00:28.791183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T16:11:08.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-445"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"
}
],
"datePublic": "2023-11-14T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A device in quarantine mode can access data from previous quarantine\npage table usages, possibly leaking data used by previous domains that\nalso had the device assigned.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T16:34:49.531Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-445.html"
}
],
"title": "x86/AMD: mismatch in IOMMU quarantine page table levels",
"workarounds": [
{
"lang": "en",
"value": "Not passing through physical devices to guests will avoid the\nvulnerability.\n\nNot using quarantine scratch-page mode will avoid the vulnerability,\nbut could result in other issues.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-46835",
"datePublished": "2024-01-05T16:34:49.531Z",
"dateReserved": "2023-10-27T07:55:35.331Z",
"dateUpdated": "2025-11-04T19:25:41.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34328 (GCVE-0-2023-34328)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:34 – Updated: 2025-11-04 19:16
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.
Xen supports guests using these extensions.
Unfortunately there are errors in Xen's handling of the guest state, leading
to denials of service.
1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of
a previous vCPUs debug mask state.
2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.
This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock
up the CPU entirely.
Severity ?
5.5 (Medium)
Assigner
References
Credits
This issue was discovered by Andrew Cooper of XenServer.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:16:42.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-444.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-444.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T17:36:49.354927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:41:06.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-444"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.\nThis is believed to be the Steamroller microarchitecture and later.\n\nFor CVE-2023-34327, Xen versions 4.5 and later are vulnerable.\n\nFor CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.\nThe issue is benign in Xen 4.14 and later owing to an unrelated change.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of XenServer.\n"
}
],
"datePublic": "2023-10-10T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "\n[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\nXen supports guests using these extensions.\n\nUnfortunately there are errors in Xen\u0027s handling of the guest state, leading\nto denials of service.\n\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\n a previous vCPUs debug mask state.\n\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\n This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\n up the CPU entirely.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for\nit\u0027s own purposes can cause incorrect behaviour in an unrelated HVM\nvCPU, most likely resulting in a guest crash.\n\nFor CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the\nhost.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T16:34:11.100Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-444.html"
}
],
"title": "x86/AMD: Debug Mask handling",
"workarounds": [
{
"lang": "en",
"value": "For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not\nsusceptible to running in the wrong state. By default, VMs will see the\nDBEXT feature on capable hardware, and when not explicitly levelled for\nmigration compatibility.\n\nFor CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot\nleverage the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-34328",
"datePublished": "2024-01-05T16:34:11.100Z",
"dateReserved": "2023-06-01T10:44:17.066Z",
"dateUpdated": "2025-11-04T19:16:42.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34327 (GCVE-0-2023-34327)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:34 – Updated: 2025-11-04 19:16
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.
Xen supports guests using these extensions.
Unfortunately there are errors in Xen's handling of the guest state, leading
to denials of service.
1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of
a previous vCPUs debug mask state.
2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.
This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock
up the CPU entirely.
Severity ?
5.5 (Medium)
Assigner
References
Credits
This issue was discovered by Andrew Cooper of XenServer.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:16:41.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-444.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-444.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34327",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T17:36:52.379735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:41:12.985Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-444"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.\nThis is believed to be the Steamroller microarchitecture and later.\n\nFor CVE-2023-34327, Xen versions 4.5 and later are vulnerable.\n\nFor CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.\nThe issue is benign in Xen 4.14 and later owing to an unrelated change.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of XenServer.\n"
}
],
"datePublic": "2023-10-10T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "\n[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nAMD CPUs since ~2014 have extensions to normal x86 debugging functionality.\nXen supports guests using these extensions.\n\nUnfortunately there are errors in Xen\u0027s handling of the guest state, leading\nto denials of service.\n\n 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of\n a previous vCPUs debug mask state.\n\n 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.\n This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock\n up the CPU entirely.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for\nit\u0027s own purposes can cause incorrect behaviour in an unrelated HVM\nvCPU, most likely resulting in a guest crash.\n\nFor CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the\nhost.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T16:34:10.958Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-444.html"
}
],
"title": "x86/AMD: Debug Mask handling",
"workarounds": [
{
"lang": "en",
"value": "For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not\nsusceptible to running in the wrong state. By default, VMs will see the\nDBEXT feature on capable hardware, and when not explicitly levelled for\nmigration compatibility.\n\nFor CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot\nleverage the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-34327",
"datePublished": "2024-01-05T16:34:10.958Z",
"dateReserved": "2023-06-01T10:44:17.066Z",
"dateUpdated": "2025-11-04T19:16:41.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34325 (GCVE-0-2023-34325)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:31 – Updated: 2025-11-04 19:16
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
libfsimage contains parsing code for several filesystems, most of them based on
grub-legacy code. libfsimage is used by pygrub to inspect guest disks.
Pygrub runs as the same user as the toolstack (root in a priviledged domain).
At least one issue has been reported to the Xen Security Team that allows an
attacker to trigger a stack buffer overflow in libfsimage. After further
analisys the Xen Security Team is no longer confident in the suitability of
libfsimage when run against guest controlled input with super user priviledges.
In order to not affect current deployments that rely on pygrub patches are
provided in the resolution section of the advisory that allow running pygrub in
deprivileged mode.
CVE-2023-4949 refers to the original issue in the upstream grub
project ("An attacker with local access to a system (either through a
disk or external drive) can present a modified XFS partition to
grub-legacy in such a way to exploit a memory corruption in grub’s XFS
file system implementation.") CVE-2023-34325 refers specifically to
the vulnerabilities in Xen's copy of libfsimage, which is decended
from a very old version of grub.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Credits
This issue was discovered by Ferdinand Nölscher of Google.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:16:38.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-443.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-443.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-30T18:38:25.354887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:47:10.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-443"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions are affected.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Ferdinand N\u00f6lscher of Google.\n"
}
],
"datePublic": "2023-10-10T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "\n[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nlibfsimage contains parsing code for several filesystems, most of them based on\ngrub-legacy code. libfsimage is used by pygrub to inspect guest disks.\n\nPygrub runs as the same user as the toolstack (root in a priviledged domain).\n\nAt least one issue has been reported to the Xen Security Team that allows an\nattacker to trigger a stack buffer overflow in libfsimage. After further\nanalisys the Xen Security Team is no longer confident in the suitability of\nlibfsimage when run against guest controlled input with super user priviledges.\n\nIn order to not affect current deployments that rely on pygrub patches are\nprovided in the resolution section of the advisory that allow running pygrub in\ndeprivileged mode.\n\nCVE-2023-4949 refers to the original issue in the upstream grub\nproject (\"An attacker with local access to a system (either through a\ndisk or external drive) can present a modified XFS partition to\ngrub-legacy in such a way to exploit a memory corruption in grub\u2019s XFS\nfile system implementation.\") CVE-2023-34325 refers specifically to\nthe vulnerabilities in Xen\u0027s copy of libfsimage, which is decended\nfrom a very old version of grub.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A guest using pygrub can escalate its privilege to that of the domain\nconstruction tools (i.e., normally, to control of the host).\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T16:31:09.660Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-443.html"
}
],
"title": "Multiple vulnerabilities in libfsimage disk handling",
"workarounds": [
{
"lang": "en",
"value": "Ensuring that guests do not use the pygrub bootloader will avoid this\nvulnerability.\n\nFor cases where the PV guest is known to be 64bit, and uses grub2 as a\nbootloader, pvgrub is a suitable alternative pygrub.\n\nRunning only HVM guests will avoid the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-34325",
"datePublished": "2024-01-05T16:31:09.660Z",
"dateReserved": "2023-06-01T10:44:17.065Z",
"dateUpdated": "2025-11-04T19:16:38.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34326 (GCVE-0-2023-34326)
Vulnerability from cvelistv5 – Published: 2024-01-05 16:30 – Updated: 2025-11-04 19:16
VLAI?
Summary
The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction
(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU
TLB is not flushed.
Such stale DMA mappings can point to memory ranges not owned by the guest, thus
allowing access to unindented memory regions.
Severity ?
7.8 (High)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
Credits
This issue was discovered by Roger Pau Monné of XenServer.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:16:39.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-442.html"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-442.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-14T20:27:29.871651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:48:27.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-442"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"
}
],
"datePublic": "2023-10-10T11:26:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The caching invalidation guidelines from the AMD-Vi specification (48882\u2014Rev\n3.07-PUB\u2014Oct 2022) is incorrect on some hardware, as devices will malfunction\n(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU\nTLB is not flushed.\n\nSuch stale DMA mappings can point to memory ranges not owned by the guest, thus\nallowing access to unindented memory regions.\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks.\n"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T16:30:57.225Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-442.html"
}
],
"title": "x86/AMD: missing IOMMU TLB flushing",
"workarounds": [
{
"lang": "en",
"value": "Not passing through physical devices to guests will avoid the vulnerability.\n"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2023-34326",
"datePublished": "2024-01-05T16:30:57.225Z",
"dateReserved": "2023-06-01T10:44:17.065Z",
"dateUpdated": "2025-11-04T19:16:39.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}