4 matches found
CVE-2026-23558
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then be freed while...
OPENSUSE-SU-2022:0333-1 Security update for xen
This update for xen fixes the following issues: - CVE-2022-23033: Fixed guestphysmapremovepage not removing the p2m mappings. XSA-393 bsc1194576 - CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. XSA-394 bsc1194581 - CVE-2022-23035: Fixed insufficient cleanup of...
CVE-2022-23033
arm: guestphysmapremovepage not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm p2mremovemapping, guestphysmapremovepage, and p2msetentry with mfn set to INVALIDMFN do not actually clear the pagetable entry if the entry doesn't have the vali...
The core of Apple is PPL: Breaking the XNU kernel's kernel
Posted by Brandon Azad, Project Zero While doing research for the one-byte exploit technique, I considered several ways it might be possible to bypass Apple's Page Protection Layer PPL using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC...