CVE-2023-46835 (GCVE-0-2023-46835)

Vulnerability from cvelistv5 – Published: 2024-01-05 16:34 – Updated: 2025-11-04 19:25
VLAI
Title
x86/AMD: mismatch in IOMMU quarantine page table levels
Summary
The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
XEN
References
Impacted products
Vendor Product Version
Xen Xen Unknown: consult Xen advisory XSA-445
Create a notification for this product.
Date Public
2023-11-14 12:00
Credits
This issue was discovered by Roger Pau Monné of XenServer.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T19:25:41.611Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-445.html"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-445.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-46835",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-12T04:00:28.791183Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T16:11:08.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-445"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"
        }
      ],
      "datePublic": "2023-11-14T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "A device in quarantine mode can access data from previous quarantine\npage table usages, possibly leaking data used by previous domains that\nalso had the device assigned.\n"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-05T16:34:49.531Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-445.html"
        }
      ],
      "title": "x86/AMD: mismatch in IOMMU quarantine page table levels",
      "workarounds": [
        {
          "lang": "en",
          "value": "Not passing through physical devices to guests will avoid the\nvulnerability.\n\nNot using quarantine scratch-page mode will avoid the vulnerability,\nbut could result in other issues.\n"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2023-46835",
    "datePublished": "2024-01-05T16:34:49.531Z",
    "dateReserved": "2023-10-27T07:55:35.331Z",
    "dateUpdated": "2025-11-04T19:25:41.611Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-46835",
      "date": "2026-06-04",
      "epss": "0.00087",
      "percentile": "0.24969"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C2B9CCC2-BAC5-4A65-B8D4-4B71EBBA0C2F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The current setup of the quarantine page tables assumes that the\\nquarantine domain (dom_io) has been initialized with an address width\\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\\n\\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\\nlevels based on the maximum (hot pluggable) RAM address, and hence on\\nsystems with no RAM above the 512GB mark only 3 page-table levels are\\nconfigured in the IOMMU.\\n\\nOn systems without RAM above the 512GB boundary\\namd_iommu_quarantine_init() will setup page tables for the scratch\\npage with 4 levels, while the IOMMU will be configured to use 3 levels\\nonly, resulting in the last page table directory (PDE) effectively\\nbecoming a page table entry (PTE), and hence a device in quarantine\\nmode gaining write access to the page destined to be a PDE.\\n\\nDue to this page table level mismatch, the sink page the device gets\\nread/write access to is no longer cleared between device assignment,\\npossibly leading to data leaks.\\n\"}, {\"lang\": \"es\", \"value\": \"La configuraci\\u00f3n actual de las tablas de p\\u00e1ginas de cuarentena supone que el dominio de cuarentena (dom_io) se ha inicializado con un ancho de direcci\\u00f3n de DEFAULT_DOMAIN_ADDRESS_WIDTH (48) y, por lo tanto, 4 niveles de tabla de p\\u00e1ginas. Sin embargo, al ser dom_io un dominio PV, los niveles de tablas de p\\u00e1ginas IOMMU AMD-Vi se basan en la direcci\\u00f3n RAM m\\u00e1xima (conectable en caliente) y, por lo tanto, en sistemas sin RAM por encima de la marca de 512 GB, solo se configuran 3 niveles de tablas de p\\u00e1ginas en IOMMU. En sistemas sin RAM por encima del l\\u00edmite de 512 GB, amd_iommu_quarantine_init() configurar\\u00e1 tablas de p\\u00e1ginas para la p\\u00e1gina temporal con 4 niveles, mientras que IOMMU se configurar\\u00e1 para usar solo 3 niveles, lo que dar\\u00e1 como resultado que el \\u00faltimo directorio de la tabla de p\\u00e1ginas (PDE) se convierta efectivamente en una entrada de la tabla de p\\u00e1ginas (PTE) y, por lo tanto, un dispositivo en modo de cuarentena obtiene acceso de escritura a la p\\u00e1gina destinada a ser una PDE. Debido a esta discrepancia en el nivel de la tabla de p\\u00e1ginas, la p\\u00e1gina receptora a la que el dispositivo tiene acceso de lectura/escritura ya no se borra entre las asignaciones de dispositivos, lo que posiblemente provoque fugas de datos.\"}]",
      "id": "CVE-2023-46835",
      "lastModified": "2024-11-21T08:29:23.593",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-01-05T17:15:11.147",
      "references": "[{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-445.html\", \"source\": \"security@xen.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://xenbits.xenproject.org/xsa/advisory-445.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@xen.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-46835\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2024-01-05T17:15:11.147\",\"lastModified\":\"2025-11-04T20:17:10.383\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The current setup of the quarantine page tables assumes that the\\nquarantine domain (dom_io) has been initialized with an address width\\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\\n\\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\\nlevels based on the maximum (hot pluggable) RAM address, and hence on\\nsystems with no RAM above the 512GB mark only 3 page-table levels are\\nconfigured in the IOMMU.\\n\\nOn systems without RAM above the 512GB boundary\\namd_iommu_quarantine_init() will setup page tables for the scratch\\npage with 4 levels, while the IOMMU will be configured to use 3 levels\\nonly, resulting in the last page table directory (PDE) effectively\\nbecoming a page table entry (PTE), and hence a device in quarantine\\nmode gaining write access to the page destined to be a PDE.\\n\\nDue to this page table level mismatch, the sink page the device gets\\nread/write access to is no longer cleared between device assignment,\\npossibly leading to data leaks.\\n\"},{\"lang\":\"es\",\"value\":\"La configuraci\u00f3n actual de las tablas de p\u00e1ginas de cuarentena supone que el dominio de cuarentena (dom_io) se ha inicializado con un ancho de direcci\u00f3n de DEFAULT_DOMAIN_ADDRESS_WIDTH (48) y, por lo tanto, 4 niveles de tabla de p\u00e1ginas. Sin embargo, al ser dom_io un dominio PV, los niveles de tablas de p\u00e1ginas IOMMU AMD-Vi se basan en la direcci\u00f3n RAM m\u00e1xima (conectable en caliente) y, por lo tanto, en sistemas sin RAM por encima de la marca de 512 GB, solo se configuran 3 niveles de tablas de p\u00e1ginas en IOMMU. En sistemas sin RAM por encima del l\u00edmite de 512 GB, amd_iommu_quarantine_init() configurar\u00e1 tablas de p\u00e1ginas para la p\u00e1gina temporal con 4 niveles, mientras que IOMMU se configurar\u00e1 para usar solo 3 niveles, lo que dar\u00e1 como resultado que el \u00faltimo directorio de la tabla de p\u00e1ginas (PDE) se convierta efectivamente en una entrada de la tabla de p\u00e1ginas (PTE) y, por lo tanto, un dispositivo en modo de cuarentena obtiene acceso de escritura a la p\u00e1gina destinada a ser una PDE. Debido a esta discrepancia en el nivel de la tabla de p\u00e1ginas, la p\u00e1gina receptora a la que el dispositivo tiene acceso de lectura/escritura ya no se borra entre las asignaciones de dispositivos, lo que posiblemente provoque fugas de datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2B9CCC2-BAC5-4A65-B8D4-4B71EBBA0C2F\"}]}]}],\"references\":[{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-445.html\",\"source\":\"security@xen.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://xenbits.xen.org/xsa/advisory-445.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-445.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-445.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://xenbits.xen.org/xsa/advisory-445.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T19:25:41.611Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-46835\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-12T04:00:28.791183Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-04T19:39:54.875Z\"}}], \"cna\": {\"title\": \"x86/AMD: mismatch in IOMMU quarantine page table levels\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Roger Pau Monn\\u00e9 of XenServer.\\n\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"A device in quarantine mode can access data from previous quarantine\\npage table usages, possibly leaking data used by previous domains that\\nalso had the device assigned.\\n\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-445\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-11-14T12:00:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-445.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Not passing through physical devices to guests will avoid the\\nvulnerability.\\n\\nNot using quarantine scratch-page mode will avoid the vulnerability,\\nbut could result in other issues.\\n\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The current setup of the quarantine page tables assumes that the\\nquarantine domain (dom_io) has been initialized with an address width\\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\\n\\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\\nlevels based on the maximum (hot pluggable) RAM address, and hence on\\nsystems with no RAM above the 512GB mark only 3 page-table levels are\\nconfigured in the IOMMU.\\n\\nOn systems without RAM above the 512GB boundary\\namd_iommu_quarantine_init() will setup page tables for the scratch\\npage with 4 levels, while the IOMMU will be configured to use 3 levels\\nonly, resulting in the last page table directory (PDE) effectively\\nbecoming a page table entry (PTE), and hence a device in quarantine\\nmode gaining write access to the page destined to be a PDE.\\n\\nDue to this page table level mismatch, the sink page the device gets\\nread/write access to is no longer cleared between device assignment,\\npossibly leading to data leaks.\\n\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"All Xen versions supporting PCI passthrough are affected.\\n\\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\\n\\nOnly x86 guests which have physical devices passed through to them can\\nleverage the vulnerability.\\n\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2024-01-05T16:34:49.531Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-46835\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T19:25:41.611Z\", \"dateReserved\": \"2023-10-27T07:55:35.331Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2024-01-05T16:34:49.531Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.