VYPR

Vendor CVEs

Xen

All CVEs

496 total · sorted by risk
  • CVE-2016-3157HigApr 12, 2016
    risk 0.51cvss 7.8epss 0.01

    The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by…

  • CVE-2017-10922HigJul 5, 2017
    risk 0.49cvss 7.5epss 0.02

    The grant-table feature in Xen through 4.8.x mishandles MMIO region grant references, which allows guest OS users to cause a denial of service (loss of grant trackability), aka XSA-224 bug 3.

  • CVE-2017-10916HigJul 5, 2017
    risk 0.49cvss 7.5epss 0.01

    The vCPU context-switch implementation in Xen through 4.8.x improperly interacts with the Memory Protection Extensions (MPX) and Protection Key (PKU) features, which makes it easier for guest OS users to defeat ASLR and other protection mechanisms, aka XSA-220.

  • CVE-2016-9637HigFeb 17, 2017
    risk 0.49cvss 7.5epss 0.00

    The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.

  • CVE-2016-9381HigJan 23, 2017
    risk 0.49cvss 7.5epss 0.00

    Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.

  • CVE-2016-9380HigJan 23, 2017
    risk 0.49cvss 7.5epss 0.00

    The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file.

  • CVE-2015-8554HigApr 14, 2016
    risk 0.49cvss 7.5epss 0.00

    Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and…

  • CVE-2026-23554HigMar 23, 2026
    risk 0.44cvss 7.8epss 0.00

    The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the…

  • CVE-2016-7154MedSep 21, 2016
    risk 0.44cvss 6.7epss 0.01

    Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number.

  • CVE-2016-4962MedJun 7, 2016
    risk 0.44cvss 6.7epss 0.00

    The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore.

  • CVE-2016-2270MedFeb 19, 2016
    risk 0.44cvss 6.8epss 0.01

    Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.

  • CVE-2018-15470MedAug 17, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.11.x. The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual, the order of evaluation of…

  • CVE-2018-15469MedAug 17, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.11.x. ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related…

  • CVE-2018-12893MedJul 2, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest…

  • CVE-2018-12891MedJul 2, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing…

  • CVE-2018-10981MedMay 10, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.

  • CVE-2018-10471MedApr 27, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect fix for CVE-2017-5754.

  • CVE-2018-7542MedFeb 27, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC.

  • CVE-2018-7540MedFeb 27, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing.

  • CVE-2018-5244MedJan 5, 2018
    risk 0.42cvss 6.5epss 0.00

    In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. This allows guest OS administrators to cause a denial of service (host OS memory…

  • CVE-2017-17046MedNov 28, 2017
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM after a reboot, because disjoint blocks, and physical addresses that do not start at zero, are mishandled.

  • CVE-2017-17044MedNov 28, 2017
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.

  • CVE-2017-15593MedOct 18, 2017
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled.

  • CVE-2017-15591MedOct 18, 2017
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.

  • CVE-2017-15589MedOct 18, 2017
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory.

  • CVE-2017-14318MedSep 12, 2017
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is…

  • CVE-2017-12855MedAug 15, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some…

  • CVE-2017-10923MedJul 5, 2017
    risk 0.42cvss 6.5epss 0.02

    Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225.

  • CVE-2017-10919MedJul 5, 2017
    risk 0.42cvss 6.5epss 0.02

    Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.

  • CVE-2016-9818MedFeb 27, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP.

  • CVE-2016-9817MedFeb 27, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set.

  • CVE-2016-9816MedFeb 27, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2.

  • CVE-2016-9815MedFeb 27, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.

  • CVE-2016-9384MedFeb 22, 2017
    risk 0.42cvss 6.5epss 0.00

    Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table.

  • CVE-2014-3672MedMay 25, 2016
    risk 0.42cvss 6.5epss 0.00

    The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr.

  • CVE-2015-8553MedApr 13, 2016
    risk 0.42cvss 6.5epss 0.00

    Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777.

  • CVE-2016-7777MedOct 7, 2016
    risk 0.41cvss 6.3epss 0.00

    Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to…

  • CVE-2016-1571MedJan 22, 2016
    risk 0.41cvss 6.3epss 0.01

    The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID…

  • CVE-2016-6259MedAug 2, 2016
    risk 0.40cvss 6.2epss 0.01

    Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check.

  • CVE-2026-23555HigMar 23, 2026
    risk 0.39cvss 7.1epss 0.00

    Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored.…

  • CVE-2023-3019MedJul 24, 2023
    risk 0.39cvss 6.0epss 0.00

    A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.

  • CVE-2018-15468MedAug 17, 2018
    risk 0.39cvss 6.0epss 0.00

    An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably…

  • CVE-2017-15596MedOct 18, 2017
    risk 0.39cvss 6.0epss 0.00

    An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error.

  • CVE-2016-10024MedJan 26, 2017
    risk 0.39cvss 6.0epss 0.00

    Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.

  • CVE-2016-9385MedJan 23, 2017
    risk 0.39cvss 6.0epss 0.00

    The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks.

  • CVE-2018-10472MedApr 27, 2018
    risk 0.36cvss 5.6epss 0.00

    An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.

  • CVE-2017-17565MedDec 12, 2017
    risk 0.36cvss 5.6epss 0.00

    An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P.

  • CVE-2017-14431MedSep 13, 2017
    risk 0.36cvss 5.5epss 0.00

    Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207.

  • CVE-2017-14317MedSep 12, 2017
    risk 0.36cvss 5.6epss 0.00

    A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on…

  • CVE-2016-9378MedFeb 22, 2017
    risk 0.36cvss 5.5epss 0.00

    Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery.

Page 2 of 10