CVE-2022-42315

2022-11-0113:15:11

CWE-770

[email protected]

web.nvd.nist.gov

cve-2022-42315

denial of service

xenstore vulnerability

memory allocation

malicious guests

6.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.8%

JSON

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Affected configurations

NVD

Node

xenxenMatch-

Node

debiandebian_linuxMatch11.0

Node

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

CPENameOperatorVersion
xen:xenxeneq-

CPE	Name	Operator	Version
xen:xen	xen	eq	-

CNA Affected

[
  {
    "vendor": "Xen",
    "product": "xen",
    "versions": [
      {
        "version": "consult Xen advisory XSA-326",
        "status": "unknown"
      }
    ]
  }
]