Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2012/09/05 9:14 a.m.•13 views

grant table entry swaps have inadequate bounds checking

ISSUE DESCRIPTION The grant table hypercall's GNTTABOPswapgrantref sub-operation does not perform adequate checks on the input grant references. IMPACT A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they...

6.9CVSS5.9AI score0.00356EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/09/05 9:10 a.m.•13 views

multiple TMEM hypercall vulnerabilities

ISSUE DESCRIPTION Several sub-operations of the Transcendent Memory TMEM hypercall either do not correctly validate their inputs, do not correctly validate the privilege of the calling guest, or have other security-relevant bugs. A full list of the vulnerabilities in the TMEM system is not...

6.9CVSS7.2AI score0.00396EPSS
Exploits0
Xen Project
Xen Project
•added 2012/08/09 12:0 p.m.•13 views

HVM guest destroy p2m teardown host DoS vulnerability

ISSUE DESCRIPTION An HVM guest is able to manipulate its physical address space such that tearing down the guest takes an extended period amount of time searching for shared pages. This causes the domain 0 VCPU which tears down the domain to be blocked in the destroy hypercall. This causes that...

4.9CVSS7.1AI score0.00416EPSS
Exploits0
Xen Project
Xen Project
•added 2013/05/30 4:30 p.m.•12 views

64-bit PV guest privilege escalation vulnerability

ISSUE DESCRIPTION Rafal Wojtczuk has discovered a vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception...

7.2CVSS7.3AI score0.37212EPSS
Exploits6
Xen Project
Xen Project
•added 2012/09/05 8:13 a.m.•12 views

hypercall physdev_get_free_pirq vulnerability

ISSUE DESCRIPTION PHYSDEVOPgetfreepirq does not check that its call to getfreepirq succeeded, and if it fails will use the error code as an array index. IMPACT A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout. Privilege escalation ...

6.1CVSS7.2AI score0.00439EPSS
Exploits1Affected Software1
Xen Project
Xen Project
•added 2011/05/12 11:48 a.m.•12 views

VT-d (PCI passthrough) MSI trap injection

ISSUE DESCRIPTION Intel VT-d chipsets without interrupt remapping do not prevent a guest which owns a PCI device from using DMA to generate MSI interrupts by writing to the interrupt injection registers. This can be exploited to inject traps and gain control of the host. VULNERABLE SYSTEMS You ar...

7.4CVSS7.2AI score0.00852EPSS
Exploits1
Xen Project
Xen Project
•added 2011/05/09 12:8 p.m.•12 views

paravirtualised kernel image validation

ISSUE DESCRIPTION 1. Problems ----------- The functions which interpret the kernel image supplied for a paravirtualised guest, and decompress it into memory when booting the domain, are incautious. Specifically: i Integer overflow in the decompression loop memory allocator might result in...

6.9CVSS5.9AI score0.00705EPSS
Exploits0
Xen Project
Xen Project
•added 2026/04/28 12:0 p.m.•11 views

oxenstored keeps quota related use counts across domain destruction

ISSUE DESCRIPTION When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota. IMPACT Over an extended period of time, new domains will b...

9.4CVSS5.2AI score0.00137EPSS
Exploits0
Xen Project
Xen Project
•added 2026/04/17 5:2 p.m.•11 views

x86: Floating Point Divider State Sampling

ISSUE DESCRIPTION Researchers from the CISPA Helmholtz Center for Information Security have discovered Floating Point Divider State Sampling. It is detailed in a paper titled "TREVEX: A Black-Box Detection Framework For Data-Flow Transient Execution Vulnerabilities" For more information, see:...

2CVSS5.7AI score0.00191EPSS
Exploits0
Xen Project
Xen Project
•added 2026/03/24 12:0 p.m.•11 views

Linux privcmd driver can circumvent kernel lockdown

ISSUE DESCRIPTION The Linux kernel's privcmd driver can be abused to circumvent kernel lockdown secure boot, e.g. by modifying page tables to enable user mode to modify kernel memory. IMPACT An administrator of an unprivileged guest booted in secure mode is able to perform actions on the kernel...

8.2CVSS5.8AI score0.00154EPSS
Exploits0
Xen Project
Xen Project
•added 2025/10/24 12:14 p.m.•11 views

Incorrect removal of permissions on PCI device unplug

ISSUE DESCRIPTION When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the...

7.5CVSS6.8AI score0.00396EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2025/10/21 12:0 p.m.•11 views

x86: Incorrect input sanitisation in Viridian hypercalls

ISSUE DESCRIPTION Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. CVE-2025-58147. Hypercalls using the HVVPSET Sparse...

7.5CVSS6.6AI score0.00347EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/05/30 4:36 p.m.•11 views

PV guest host Denial of Service

ISSUE DESCRIPTION A Xen user has discovered that some older AMD CPUs can be made to lock up due to AMD processor erratum 121. This issue was discovered during testing of the fix for XSA-7 CVE-2012-0217. Although the two issues are unrelated the situations which can trigger them may overlap...

7.2CVSS7.3AI score0.37212EPSS
Exploits6
Xen Project
Xen Project
•added 2012/11/13 11:56 a.m.•11 views

Unhooking empty PAE entries DoS vulnerability

ISSUE DESCRIPTION The HVMOPpagetabledying hypercall does not correctly check the caller's pagetable state, leading to a hypervisor crash. IMPACT An HVM guest running on shadow pagetables that is, not HAP can cause the hypervisor to crash. VULNERABLE SYSTEMS All Xen versions from 4.0 onwards are...

4.9CVSS7.2AI score0.00443EPSS
Exploits0
Xen Project
Xen Project
•added 2012/11/13 11:56 a.m.•11 views

pirq range check DoS vulnerability

ISSUE DESCRIPTION domainpirqtoemuirq uses the guest provided pirq value before range checking it, and physdevunmappirq uses domainpirqtoemuirq without checking the pirq value either. Invalid pirq values can cause Xen to read out of array bounds, usually resulting in a fatal page fault. IMPACT A...

2.1CVSS7.2AI score0.00419EPSS
Exploits0
Xen Project
Xen Project
•added 2012/07/26 3:21 p.m.•11 views

HVM guest user mode MMIO emulation DoS vulnerability

ISSUE DESCRIPTION Internal data of the emulator for MMIO operations may, under certain rare conditions, at the end of one emulation cycle be left in a state affecting a subsequent emulation such that this second emulation would fail, causing an exception to be reported to the guest kernel where...

1.9CVSS7AI score0.00642EPSS
Exploits1Affected Software1
Xen Project
Xen Project
•added 2012/02/02 1:57 p.m.•11 views

qemu-dm Local Privilege Escalation Vulnerability

ISSUE DESCRIPTION Heap-based buffer overflow in the processtxdesc function in the e1000 emulation allows the guest to cause a denial of service QEMU crash and possibly execute arbitrary code via crafted legacy mode packets. Upstream qemu has already released an advisory hence there is no embargo...

7.4CVSS6.4AI score0.00923EPSS
Exploits0
Xen Project
Xen Project
•added 2025/09/09 12:0 p.m.•10 views

XAPI UTF-8 string handling

ISSUE DESCRIPTION There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing. 2. XAPI's UTF-8 encoder implements v3.0 of the...

9.4CVSS6.8AI score0.00137EPSS
Exploits0
Xen Project
Xen Project
•added 2012/11/13 11:56 a.m.•10 views

Timer overflow DoS vulnerability

ISSUE DESCRIPTION A guest which sets a VCPU with an inappropriate deadline can cause an infinite loop in Xen, blocking the affected physical CPU indefinitely. IMPACT A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whole system will crash. Otherwise the gue...

1.9CVSS7.2AI score0.00385EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/09/05 8:38 a.m.•10 views

XENMEM_populate_physmap DoS vulnerability

ISSUE DESCRIPTION XENMEMpopulatephysmap can be called with invalid flags. By calling it with MEMFpopulateondemand flag set, a BUG can be triggered if a translating paging mode is not being used. IMPACT A malicious guest kernel can crash the host. VULNERABLE SYSTEMS All Xen systems running PV...

4.7CVSS7.2AI score0.00418EPSS
Exploits0
Xen Project
Xen Project
•added 2011/03/14 11:0 a.m.•10 views

Host crash due to failure to correctly validate PV kernel execution state

ISSUE DESCRIPTION Cannot specify user mode execution without specifying user-mode pagetables. Failure to validate this allows a malicious or buggy 64 bit PV guest to crash the host. nb: predates vulnerability handling process and therefore no formal announcement...

5.5CVSS7.2AI score0.00667EPSS
Exploits0
Xen Project
Xen Project
•added 2026/04/28 12:0 p.m.•9 views

Linux kernel out of bounds read via Xen-related sysfs file

ISSUE DESCRIPTION The Linux sysfs file /sys/hypervisor/properties/buildid does not contain printable information, but a binary value of typically 16 or 20 bytes, which is not terminated by a zero byte. The kernel driver making this information available is using the sprintf function for writing t...

7.8CVSS5.5AI score0.00197EPSS
Exploits0
Xen Project
Xen Project
•added 2026/04/28 12:0 p.m.•9 views

Xenstored DoS via XS_RESET_WATCHES command

ISSUE DESCRIPTION Any guest can cause xenstored to crash by issuing a XSRESETWATCHES command within a transaction due to an assert triggering. In case xenstored was built with NDEBUG defined nothing bad will happen, as assert is doing nothing in this case. Note that the default is not to define...

6.5CVSS5.3AI score0.00158EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/01/27 12:0 p.m.•9 views

x86: buffer overrun with shadow paging + tracing

ISSUE DESCRIPTION Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. IMPAC...

8.8CVSS5.9AI score0.00127EPSS
Exploits0
Xen Project
Xen Project
•added 2026/01/27 12:0 p.m.•9 views

varstored: TOCTOU issues with mapped guest memory

ISSUE DESCRIPTION varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the...

9.4CVSS6.4AI score0.0012EPSS
Exploits0
Xen Project
Xen Project
•added 2026/04/28 12:0 p.m.•8 views

grant table v2 race in status page mapping

ISSUE DESCRIPTION The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then b...

7.8CVSS5.3AI score0.00117EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/03/17 12:0 p.m.•8 views

Use after free of paging structures in EPT

ISSUE DESCRIPTION The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the...

7.8CVSS5.9AI score0.00128EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/03/17 12:0 p.m.•8 views

Xenstored DoS by unprivileged domain

ISSUE DESCRIPTION Any guest issuing a Xenstore command accessing a node using the illegal node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert statement in xenstored. In ca...

7.1CVSS5.6AI score0.00181EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/11/13 11:56 a.m.•8 views

Grant table hypercall infinite loop DoS vulnerability

ISSUE DESCRIPTION Due to inappropriate duplicate use of the same loop control variable, passing bad arguments to GNTTABOPgetstatusframes can cause an infinite loop in the compat hypercall handler. IMPACT A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whol...

2.1CVSS7.2AI score0.00433EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/09/05 9:12 a.m.•8 views

Qemu VT100 emulation vulnerability

ISSUE DESCRIPTION The device model used by fully virtualised HVM domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. IMPACT An attacker who has sufficient privilege to access a vulnerable device within a guest can overwrite...

7.2CVSS7.1AI score0.00528EPSS
Exploits0
Xen Project
Xen Project
•added 2012/09/05 7:38 a.m.•8 views

hypercall set_debugreg vulnerability

ISSUE DESCRIPTION setdebugreg allows writes to reserved bits of the DR7 debug control register on x86-64. IMPACT A malicious guest can cause the host to crash, leading to a DoS. If the vulnerable hypervisor is run on future hardware, the impact of the vulnerability might be widened depending on t...

2.1CVSS7.2AI score0.00437EPSS
Exploits0
Xen Project
Xen Project
•added 2012/09/05 9:12 a.m.•7 views

PHYSDEVOP_map_pirq index vulnerability

ISSUE DESCRIPTION PHYSDEVOPmappirq with MAPPIRQTYPEGSI does not range check map-index. IMPACT A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. VULNERABLE SYSTEMS All Xen systems running HVM guests. PV guests are not vulnerable. The...

5.6CVSS7.2AI score0.00437EPSS
Exploits0
Total number of security vulnerabilities482