6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
28.1%
The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range.
A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesnβt itself control the values written.
All Xen versions are vulnerable.
The vulnerability is only exposed to PV guests.