VYPR

Xen

by Xen Project

CVEs (67)

  • CVE-2020-29568MedDec 15, 2020
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be…

  • CVE-2020-25597MedSep 23, 2020
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life…

  • CVE-2016-9815MedFeb 27, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.

  • CVE-2020-29570MedDec 15, 2020
    risk 0.40cvss 6.2epss 0.00

    An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or…

  • CVE-2020-29567MedDec 15, 2020
    risk 0.40cvss 6.2epss 0.00

    An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met…

  • CVE-2020-29484MedDec 15, 2020
    risk 0.39cvss 6.0epss 0.00

    An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering…

  • CVE-2024-45819MedDec 19, 2024
    risk 0.36cvss 5.5epss 0.00

    PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated…

  • CVE-2023-46835MedJan 5, 2024
    risk 0.36cvss 5.5epss 0.00

    The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels…

  • CVE-2022-42331MedMar 21, 2023
    risk 0.36cvss 5.5epss 0.00

    x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be…

  • CVE-2022-33748MedOct 11, 2022
    risk 0.36cvss 5.6epss 0.00

    lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can…

  • CVE-2022-26356MedApr 5, 2022
    risk 0.36cvss 5.6epss 0.00

    Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to…

  • CVE-2022-23034MedJan 25, 2022
    risk 0.36cvss 5.5epss 0.00

    A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping,…

  • CVE-2021-28699MedAug 27, 2021
    risk 0.36cvss 5.5epss 0.00

    inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status…

  • CVE-2021-28693MedJun 30, 2021
    risk 0.36cvss 5.5epss 0.00

    xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the…

  • CVE-2021-26933MedFeb 17, 2021
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page…

  • CVE-2020-25601MedSep 23, 2020
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event…

  • CVE-2017-14431MedSep 13, 2017
    risk 0.36cvss 5.5epss 0.00

    Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207.

  • CVE-2023-46839MedMar 20, 2024
    risk 0.35cvss 5.3epss 0.01

    PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions…

  • CVE-2021-28700MedAug 27, 2021
    risk 0.32cvss 4.9epss 0.02

    xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator…

  • CVE-2023-46836MedJan 5, 2024
    risk 0.31cvss 4.7epss 0.00

    The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left…