Xen Security Vulnerabilities
Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored.
6.5CVSS
7.1AI Score
0.0004EPSS
Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Do...
5.5CVSS
6.5AI Score
0.0005EPSS
Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Do...
5.5CVSS
6.5AI Score
0.0005EPSS
Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most sig...
5.5CVSS
6.6AI Score
0.0004EPSS
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, t...
5.5CVSS
6.8AI Score
0.0005EPSS
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, t...
5.5CVSS
6.8AI Score
0.0005EPSS
x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist betwee...
7.1CVSS
7.3AI Score
0.0005EPSS
Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XS_RELEASE will ha...
7.5CVSS
7.4AI Score
0.001EPSS
x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variet...
5.5CVSS
6.5AI Score
0.0005EPSS
x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxi...
7.8CVSS
7.9AI Score
0.0004EPSS
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults ...
8.6CVSS
7AI Score
0.002EPSS
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults ...
6.5CVSS
7AI Score
0.002EPSS
x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handlin...
7.8CVSS
7.3AI Score
0.0004EPSS
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads requ...
3.3CVSS
4.2AI Score
0.0004EPSS
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the...
8.8CVSS
8.8AI Score
0.003EPSS
A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
5.5CVSS
6.7AI Score
0.001EPSS
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
5.5CVSS
6.9AI Score
0.001EPSS
The fix for XSA-423 added logic to Linux'es netback driver to deal witha frontend splitting a packet in a way such that not all of the headerswould come in one piece. Unfortunately the logic introduced theredidn't account for the extreme case of the entire packet being splitinto as many pieces as p...
7.8CVSS
7.8AI Score
0.0004EPSS
Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412where software, under certain circumstances, could deadlock a coredue to the execution of either a load to device or non-cacheable memory,and either a store exclusive or register read of the PhysicalAddress Register (PAR_EL1) in close ...
5.5CVSS
5.4AI Score
0.001EPSS
Arm provides multiple helpers to clean & invalidate the cachefor a given region. This is, for instance, used when allocatingguest memory to ensure any writes (such as the ones during scrubbing)have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers...
3.3CVSS
5.4AI Score
0.0004EPSS
For migration as well as to work around kernels unaware of L1TF (seeXSA-273), PV guests may be run in shadow paging mode. Since Xen itselfneeds to be mapped when PV guests run, Xen and shadowed PV guests rundirectly the respective shadow page tables. For 64-bit PV guests thismeans running on the sh...
7.8CVSS
7.3AI Score
0.0004EPSS
When a transaction is committed, C Xenstored will first checkthe quota is correct before attempting to commit any nodes. It wouldbe possible that accounting is temporarily negative if a node hasbeen removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that th...
5.5CVSS
6.1AI Score
0.0004EPSS
Closing of an event channel in the Linux kernel can result in a deadlock.This happens when the close is being performed in parallel to an unrelatedXen console action and the handling of a Xen console interrupt in anunprivileged guest. The closing of an event channel is e.g. triggered by removal of ...
4.9CVSS
5.9AI Score
0.001EPSS
[This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based ongrub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the sa...
7.8CVSS
7.5AI Score
0.0004EPSS
The caching invalidation guidelines from the AMD-Vi specification (48882—Rev3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction(see stale DMA mappings) if some fields of the DTE are updated but the IOMMUTLB is not flushed. Such stale DMA mappings can point to memory ranges...
7.8CVSS
7.5AI Score
0.0004EPSS
[This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of ...
5.5CVSS
5.9AI Score
0.001EPSS
[This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of ...
5.5CVSS
5.9AI Score
0.001EPSS
The current setup of the quarantine page tables assumes that thequarantine domain (dom_io) has been initialized with an address widthof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tableslevels based on the maximum (hot...
5.5CVSS
5.4AI Score
0.0004EPSS
The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (SpeculativeReturn Stack Overflow) are not IRQ-safe. It was believed that themitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately leftinterrupts enabled on two entry p...
4.7CVSS
5.1AI Score
0.0004EPSS
Arm provides multiple helpers to clean & invalidate the cachefor a given region. This is, for instance, used when allocatingguest memory to ensure any writes (such as the ones during scrubbing)have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers...
3.3CVSS
3.9AI Score
0.0004EPSS
An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.
8.1CVSS
6.7AI Score
0.0004EPSS