VYPR

Vendor CVEs

Xen Project

All CVEs

98 total · sorted by risk
  • CVE-2022-42318MedNov 1, 2022
    risk 0.42cvss 6.5epss 0.00

    Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in…

  • CVE-2022-42316MedNov 1, 2022
    risk 0.42cvss 6.5epss 0.00

    Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in…

  • CVE-2022-42314MedNov 1, 2022
    risk 0.42cvss 6.5epss 0.00

    Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in…

  • CVE-2022-42312MedNov 1, 2022
    risk 0.42cvss 6.5epss 0.00

    Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in…

  • CVE-2022-42311MedNov 1, 2022
    risk 0.42cvss 6.5epss 0.00

    Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in…

  • CVE-2022-33746MedOct 11, 2022
    risk 0.42cvss 6.5epss 0.00

    P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was…

  • CVE-2022-26362MedJun 9, 2022
    risk 0.42cvss 6.4epss 0.00

    x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables;…

  • CVE-2021-28713MedJan 5, 2022
    risk 0.42cvss 6.5epss 0.00

    Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically…

  • CVE-2021-28711MedJan 5, 2022
    risk 0.42cvss 6.5epss 0.00

    Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically…

  • CVE-2021-28690MedJun 29, 2021
    risk 0.42cvss 6.5epss 0.01

    x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires…

  • CVE-2021-28688MedApr 6, 2021
    risk 0.42cvss 6.5epss 0.00

    The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup…

  • CVE-2020-29483MedDec 15, 2020
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from…

  • CVE-2020-29568MedDec 15, 2020
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be…

  • CVE-2020-25597MedSep 23, 2020
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life…

  • CVE-2016-9815MedFeb 27, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.

  • CVE-2020-29570MedDec 15, 2020
    risk 0.40cvss 6.2epss 0.00

    An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or…

  • CVE-2020-29567MedDec 15, 2020
    risk 0.40cvss 6.2epss 0.00

    An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met…

  • CVE-2020-29484MedDec 15, 2020
    risk 0.39cvss 6.0epss 0.00

    An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering…

  • CVE-2024-45819MedDec 19, 2024
    risk 0.36cvss 5.5epss 0.00

    PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated…

  • CVE-2023-46835MedJan 5, 2024
    risk 0.36cvss 5.5epss 0.00

    The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels…

  • CVE-2023-34323MedJan 5, 2024
    risk 0.36cvss 5.5epss 0.00

    When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C…

  • CVE-2022-42331MedMar 21, 2023
    risk 0.36cvss 5.5epss 0.00

    x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be…

  • CVE-2022-42329MedDec 7, 2022
    risk 0.36cvss 5.5epss 0.00

    Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to…

  • CVE-2022-42328MedDec 7, 2022
    risk 0.36cvss 5.5epss 0.00

    Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to…

  • CVE-2022-42326MedNov 1, 2022
    risk 0.36cvss 5.5epss 0.00

    Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the…

  • CVE-2022-42325MedNov 1, 2022
    risk 0.36cvss 5.5epss 0.00

    Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the…

  • CVE-2022-42324MedNov 1, 2022
    risk 0.36cvss 5.5epss 0.00

    Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates…

  • CVE-2022-42322MedNov 1, 2022
    risk 0.36cvss 5.5epss 0.00

    Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be…

  • CVE-2022-33748MedOct 11, 2022
    risk 0.36cvss 5.6epss 0.00

    lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can…

  • CVE-2022-26356MedApr 5, 2022
    risk 0.36cvss 5.6epss 0.00

    Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to…

  • CVE-2022-23034MedJan 25, 2022
    risk 0.36cvss 5.5epss 0.00

    A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping,…

  • CVE-2021-28699MedAug 27, 2021
    risk 0.36cvss 5.5epss 0.00

    inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status…

  • CVE-2021-28693MedJun 30, 2021
    risk 0.36cvss 5.5epss 0.00

    xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the…

  • CVE-2021-28687MedJun 11, 2021
    risk 0.36cvss 5.5epss 0.00

    HVM soft-reset crashes toolstack libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline,…

  • CVE-2021-26933MedFeb 17, 2021
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page…

  • CVE-2020-25601MedSep 23, 2020
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event…

  • CVE-2017-14431MedSep 13, 2017
    risk 0.36cvss 5.5epss 0.00

    Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207.

  • CVE-2023-46839MedMar 20, 2024
    risk 0.35cvss 5.3epss 0.01

    PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions…

  • CVE-2022-33749MedOct 11, 2022
    risk 0.35cvss 5.3epss 0.01

    XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the…

  • CVE-2021-28700MedAug 27, 2021
    risk 0.32cvss 4.9epss 0.02

    xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator…

  • CVE-2023-46836MedJan 5, 2024
    risk 0.31cvss 4.7epss 0.00

    The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left…

  • CVE-2023-20569MedAug 8, 2023
    risk 0.31cvss 4.7epss 0.06

    A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

  • CVE-2022-23035MedJan 25, 2022
    risk 0.30cvss 4.6epss 0.00

    Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not…

  • CVE-2024-31144LowFeb 14, 2025
    risk 0.25cvss 3.8epss 0.00

    For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories (SRs). The metadata itself is stored in a…

  • CVE-2022-33747LowOct 11, 2022
    risk 0.25cvss 3.8epss 0.00

    Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory…

  • CVE-2023-46837LowJan 5, 2024
    risk 0.21cvss 3.3epss 0.00

    Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the…

  • CVE-2022-42336LowMay 17, 2023
    risk 0.21cvss 3.3epss 0.00

    Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of…

  • CVE-2020-29480LowDec 15, 2020
    risk 0.15cvss 2.3epss 0.00

    An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key.…

Page 2 of 2