CVE-2017-17564
Description
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A refcount error handling flaw in Xen's shadow mode can let guest OS users crash the host or possibly gain privilege escalation.
Vulnerability
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode [1][2]. Pages used to run x86 guests in shadow mode are reference-counted to track their uses; when another reference cannot be acquired, the corresponding page table entry must not be inserted. Due to incorrect error handling, this constraint could be violated [1][2]. All Xen versions are affected; x86 systems are vulnerable, ARM systems are not. Only guests run in shadow mode can exploit the vulnerability. PV guests typically run in shadow mode only during live migration or for features like VM snapshot. HVM guests run in shadow mode on hardware without HAP support, or when HAP is disabled [2].
Exploitation
An attacker must have guest OS privileges to trigger the flawed code path. The guest must be configured to run in shadow mode (e.g., for HVM guests without HAP or with HAP disabled, or for PV guests during live migration or VM snapshot) [2]. The attacker can exploit the incorrect error handling when the reference count fails, causing the page table entry to be inserted improperly, leading to hypervisor memory corruption or a crash [1][2]. No specific user interaction or race condition is required beyond normal guest operations that trigger reference count failures.
Impact
A successful exploit may cause a hypervisor crash, resulting in a denial of service (DoS) affecting the entire host, or cause hypervisor memory corruption that could allow a guest to escalate its privilege to that of the host [2]. The advisory states "We cannot rule out a guest being able to escalate its privilege" [2], indicating that full host OS compromise is possible in some scenarios.
Mitigation
All Xen versions are affected. Patches are available from the Xen project: xsa250.patch (for current versions) and xsa250-4.5.patch (for older 4.5-based trees) [2]. Gentoo has released updated packages with versions >=4.9.1-r1 for xen and xen-tools [3]. For HVM guests explicitly configured to use shadow paging, switching to hardware-assisted paging (HAP) by setting hap=1 in the domain configuration avoids exposure to the vulnerability [2]. Live migration does not use shadow mode, so it does not expose the vulnerability [2]. As of the publication date (2017-12-12), no workaround other than patching or mitigation via HAP was available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18- osv-coords17 versionspkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20OpenStack%20Cloud%206
< 4.7.4_06-43.24.1+ 16 more
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.2.5_21-45.19.1
- (no CPE)range: < 4.2.5_21-45.19.1
- (no CPE)range: < 4.4.4_28-61.23.2
- (no CPE)range: < 4.5.5_24-22.43.1
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.4.4_28-22.62.1
- (no CPE)range: < 4.4.4_28-61.23.2
- (no CPE)range: < 4.5.5_24-22.43.1
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.4.4_28-61.23.2
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.5.5_24-22.43.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- xenbits.xen.org/xsa/advisory-250.htmlnvdMitigationPatchVendor Advisory
- www.openwall.com/lists/oss-security/2017/12/12/3nvdMailing List
- www.securityfocus.com/bid/102172nvd
- www.securitytracker.com/id/1040770nvd
- lists.debian.org/debian-lts-announce/2018/01/msg00003.htmlnvd
- lists.debian.org/debian-lts-announce/2018/10/msg00009.htmlnvd
- security.gentoo.org/glsa/201801-14nvd
- support.citrix.com/article/CTX232096nvd
- www.debian.org/security/2018/dsa-4112nvd
News mentions
0No linked articles in our index yet.