7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.2%
Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. The particular case of context switch to a vCPU of a PCID-enabled guest left open a time window between the full TLB flush, and the actual address space switch, during which additional TLB entries (from the address space about to be switched away from) can be accumulated, which will not subsequently be purged.
Malicious PV guests may be able to cause a host crash (Denial of Service) or to gain access to data pertaining to other guests. Privilege escalation opportunities cannot be ruled out.
Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only systems running x86 PV guests are vulnerable. Systems running only x86 HVM or PVH guests are not vulnerable.
Only systems with at least one PCID-enabled PV guest are vulnerable.
Systems where PCID or INVPCID are unavailable or entirely disabled are not vulnerable.
Note that PCID is enabled by default for both 64-bit dom0 and 64-bit domU when hardware supports it. PCID acceleration has been backported to the following versions: - Xen 4.11.x, - Xen 4.10.2 and onwards, - Xen 4.9.3 and onwards, - Xen 4.8.4 and onwards, - Xen 4.7.6.
To exploit this vulnerability, problematic TLB entries must be created between the full TLB flush and the address space switch. The NMI watchdog handler (enabled via the “watchdog” command line option) is known to create such entries; other vectors cannot be ruled out.
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.2%