4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.002 Low
EPSS
Percentile
55.1%
The function get_page_from_gfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash.
A malicious guest administrator of a PV guest can cause Xen to crash. If the out of bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn’t itself control the values written.
Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are not vulnerable.
The vulnerability is exposed only to PV guests.