4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.001 Low
EPSS
Percentile
31.0%
Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time.
In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest (e.g. dom0 or a stubdom). If the size of that bitmap is overly large, an intermediate variable on the hypervisor stack may overflow that stack.
A malicious guest administrator can cause Xen to become unresponsive or to crash leading in either case to a Denial of Service.
All Xen versions from 3.4 onwards are vulnerable.
However Xen 4.2 and unstable are not vulnerable to the stack overflow. Systems running either of these are not vulnerable to the crash.
Version 3.4, 4.0 and 4.1 are vulnerable to both the stack overflow and the physical CPU hang.
The vulnerability is only exposed to HVM guests.