CVE-2016-9378

Vulnerability

Xen versions 4.5.x through 4.7.x, when running on AMD systems lacking the NRip (Next-RIP Saved on #VMEXIT) feature, incorrectly handle software interrupt delivery when emulating instructions that generate software interrupts. The emulator chooses the method intended for injecting exceptions, which is incorrect for software interrupts and causes a guest crash. This bug (CVE-2016-9378) is exposed only on AMD hardware without NRip; Intel and AMD hardware with NRip are not vulnerable [1][2].

Exploitation

An attacker must be a local user in a fully virtualized HVM guest on a vulnerable AMD system. The attacker forces the hypervisor to emulate instructions that generate software interrupts. This can be achieved by crafting guest code that triggers emulation of such instructions [1]. No additional authentication or special privileges within the guest are required beyond the ability to run user-level programs.

Impact

Successful exploitation causes a crash of the HVM guest (Denial of Service). The attacker does not gain code execution or privilege escalation; the impact is limited to guest availability [1].

Mitigation

Xen has released patches (xsa196-0001 and xsa196-0002). Fixed versions include Xen 4.7.1-r4, 4.6.x, and 4.5.x with backported patches [1][2]. Users should update to the latest patched versions. No workarounds are available other than using hardware with NRip or Intel CPUs [1][2].