CVE-2017-12135
Description
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Xen transitive grant handling bugs in `GNTTABOP_copy` allow guest-controlled stack exhaustion and resource leak, leading to host crash and potential privilege escalation.
Vulnerability
The vulnerability involves multiple issues in Xen's handling of transitive grants within the GNTTABOP_copy hypercall. First, the code uses a recursive retry mechanism for copy operations on transitive grants, relying on the compiler to produce a tail call. In practice compilers often do not, leading to possibly unbounded stack recursion [1]. Second, the reference counting and locking discipline for transitive grants is broken, allowing concurrent use to leak references on the transitively-referenced grant [2]. These issues affect Xen versions up to and including those that ship with the flawed patches for XSA-226. Patches are available for Xen 4.5, 4.6, 4.7, 4.8, 4.9, and the unstable branch [2].
Exploitation
An attacker must have access to a local OS guest running on the Xen hypervisor. The attacker does not require any special privileges beyond those of a normal guest. To trigger the stack recursion bug, the attacker crafts a sequence of grant copy operations that causes the function to repeatedly reinvoke itself without making a tail call, potentially exhausting the Xen hypervisor stack. For the reference leak issue, the attacker concurrently uses a transitive grant operation to leak grant references [1][2]. Both issues can be chained or exploited independently.
Impact
A successful exploit can cause a denial of service by crashing the Xen host (host crash). Additionally, privilege escalation and information leaks cannot be ruled out, as the advisory explicitly states that privilege escalation and information leaks are possible [1][2]. The reference leak issue can lead to resource exhaustion, effectively a denial of service against the host or other guests.
Mitigation
The Xen Security Advisory XSA-226 provides patches that address both the stack recursion and the reference counting issues. The initial patch released in version 6 regressed 32-bit Dom0 or backend domains, so the final patch (version 7) fixes that regression [2]. Users should apply the appropriate patch for their Xen version (4.5, 4.6, 4.7, 4.8, 4.9, or unstable). As of the advisory's public release on 2017-08-15, no workaround other than applying the patch is available [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19- osv-coords19 versionspkg:rpm/opensuse/xen&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20OpenStack%20Cloud%206
< 4.15.1_01-1.2+ 18 more
- (no CPE)range: < 4.15.1_01-1.2
- (no CPE)range: < 4.7.3_03-43.9.1
- (no CPE)range: < 4.9.0_11-3.9.1
- (no CPE)range: < 4.2.5_21-45.5.1
- (no CPE)range: < 4.2.5_21-45.5.1
- (no CPE)range: < 4.4.4_22-61.9.2
- (no CPE)range: < 4.5.5_14-22.25.1
- (no CPE)range: < 4.7.3_03-43.9.1
- (no CPE)range: < 4.9.0_11-3.9.1
- (no CPE)range: < 4.4.4_22-22.51.2
- (no CPE)range: < 4.4.4_22-61.9.2
- (no CPE)range: < 4.4.4_22-22.51.2
- (no CPE)range: < 4.5.5_14-22.25.1
- (no CPE)range: < 4.7.3_03-43.9.1
- (no CPE)range: < 4.9.0_11-3.9.1
- (no CPE)range: < 4.4.4_22-61.9.2
- (no CPE)range: < 4.7.3_03-43.9.1
- (no CPE)range: < 4.9.0_11-3.9.1
- (no CPE)range: < 4.5.5_14-22.25.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- xenbits.xen.org/xsa/advisory-226.htmlnvdMitigationPatchVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingMitigationPatchThird Party Advisory
- support.citrix.com/article/CTX225941nvdPatchThird Party Advisory
- www.debian.org/security/2017/dsa-3969nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2017/08/15/1nvdMailing ListMitigationThird Party Advisory
- www.openwall.com/lists/oss-security/2017/08/17/6nvdMailing ListMitigationThird Party Advisory
- www.securityfocus.com/bid/100344nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039178nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201801-14nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2020/04/14/4nvd
News mentions
0No linked articles in our index yet.