CVE-2014-8594
Description
Insufficient check in Xen's MMU update hypercall allows a privileged PV domain to crash or escalate privileges on systems with HAP HVM guests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient check in Xen's MMU update hypercall allows a privileged PV domain to crash or escalate privileges on systems with HAP HVM guests.
Vulnerability
The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x fails to restrict certain MMU update operations to only PV page tables. This allows a PV domain to perform operations on HVM guests using Hardware Assisted Paging (HAP) that access function pointers that remain NULL when HAP is in use, leading to a NULL pointer dereference. Systems running Xen 4.0 and later are affected [1].
Exploitation
An attacker needs control of a PV domain that has privilege over other HVM or PVH guests; typically this means a device-model emulator (qemu-dm) for those guests. The PV domain launches MMU update hypercalls targeting the HAP-based guest, causing Xen to dereference a NULL pointer. The vulnerability is only exposed to PV service domains for HVM or PVH guests [1].
Impact
Successful exploitation results in a denial of service (hypervisor crash). However, because a PV guest can map memory at address 0, the NULL pointer dereference can be leveraged beyond a crash to achieve privilege escalation within the hypervisor, affecting the entire host system [1].
Mitigation
Patches were released as part of XSA-109 for Xen 4.2 and 4.4 series (xsa109.patch, xsa109-4.2.patch). Gentoo recommends upgrading to Xen 4.4.2-r1 or Xen 4.2.5-r8 [2]. Users of disaggregated systems should ensure restricted service domain images are properly configured [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:xen:xen:4.0.0:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:o:xen:xen:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.1.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.3.1:*:*:*:*:*:*:*
- (no CPE)range: 4.x through 4.4.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- xenbits.xen.org/xsa/advisory-109.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.htmlnvdThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.htmlnvdThird Party Advisory
- www.debian.org/security/2015/dsa-3140nvdThird Party Advisory
- secunia.com/advisories/62672nvdPermissions Required
- www.securityfocus.com/bid/71149nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/98767nvd
- security.gentoo.org/glsa/201504-04nvd
News mentions
0No linked articles in our index yet.