CVE-2017-17566
Description
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Xen PV guest with shadow paging can map an internal auxiliary page, causing a host crash or potential privilege escalation.
Vulnerability
An issue exists in Xen through version 4.9.x in memory management for PV guests running in shadow mode. When a guest is in shadow mode (required for live migration or VM snapshots), certain auxiliary pages used internally by Xen have their ownership set to the guest itself. The shadow paging code and the main PV memory management code interpret the control structure fields of a page differently when the guest maps such an auxiliary page. This inconsistency can lead to hypervisor crash or memory corruption. All versions of Xen are vulnerable; only x86 systems are affected, and only x86 PV guests running in shadow mode can exploit this. HVM guests are not vulnerable [1][2].
Exploitation
An attacker must have access to a PV guest on a vulnerable x86 Xen host and must ensure that guest is running in shadow mode (e.g., during live migration or VM snapshot operations). The attacker then triggers the mapping of the internally used auxiliary page. The precise steps involve the guest mapping a page it owns but which is also used internally by Xen in shadow mode, causing the conflicting interpretation of page control fields. No special privileges beyond a normal PV guest user are required; the attack can be performed by any user within the guest [1][2].
Impact
Successful exploitation results in a denial of service (DoS) via host hypervisor crash, affecting all domains on the host. Additionally, the advisory states that hypervisor memory corruption is possible and that privilege escalation cannot be ruled out. An attacker could potentially gain host OS privileges [1][2].
Mitigation
Xen has released patches for this issue (XSA-248). Fixed versions are available for Xen 4.9.x and earlier branches; users should update to the latest patched version (e.g., Xen 4.9.1 or later). The Gentoo security advisory recommends upgrading to >=app-emulation/xen-4.9.1-r1 and >=app-emulation/xen-tools-4.9.1-r1 [3]. There is no known workaround [3]. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18- osv-coords17 versionspkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/xen&distro=SUSE%20OpenStack%20Cloud%206
< 4.7.4_06-43.24.1+ 16 more
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.2.5_21-45.19.1
- (no CPE)range: < 4.2.5_21-45.19.1
- (no CPE)range: < 4.4.4_28-61.23.2
- (no CPE)range: < 4.5.5_24-22.43.1
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.4.4_28-22.62.1
- (no CPE)range: < 4.4.4_28-61.23.2
- (no CPE)range: < 4.5.5_24-22.43.1
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.4.4_28-61.23.2
- (no CPE)range: < 4.7.4_06-43.24.1
- (no CPE)range: < 4.9.1_08-3.26.1
- (no CPE)range: < 4.5.5_24-22.43.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- xenbits.xen.org/xsa/advisory-248.htmlnvdMitigationPatchVendor Advisory
- www.openwall.com/lists/oss-security/2017/12/12/4nvdMailing List
- www.securityfocus.com/bid/102167nvd
- www.securitytracker.com/id/1040768nvd
- lists.debian.org/debian-lts-announce/2018/01/msg00003.htmlnvd
- lists.debian.org/debian-lts-announce/2018/10/msg00009.htmlnvd
- security.gentoo.org/glsa/201801-14nvd
- support.citrix.com/article/CTX232096nvd
- www.debian.org/security/2018/dsa-4112nvd
News mentions
0No linked articles in our index yet.