Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2021/09/08 12:0 p.m.•38 views

Another race in XENMAPSPACE_grant_table handling

ISSUE DESCRIPTION Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches back from v2 to v1. Freeing such pages...

7.8CVSS0.5AI score0.00266EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/02/15 12:0 p.m.•38 views

memory leak when destroying guest without PT devices

ISSUE DESCRIPTION Certain internal state is set up, during domain construction, in preparation for possible pass-through device assignment. On ARM and AMD V-i hardware this setup includes memory allocation. On guest teardown, cleanup was erroneously only performed when the guest actually had a...

0.6AI score
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/01/23 5:38 p.m.•38 views

PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests

ISSUE DESCRIPTION The PHYSDEVOPprepare,releasemsix operations are supposed to be available to privileged guests domain 0 in non-disaggregated setups only, but the necessary privilege check was missing. IMPACT Malicious or misbehaving unprivileged guests can cause the host or other guests to...

8.3CVSS6.2AI score0.00876EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•37 views

Xenstore: Guests can cause Xenstore to not free temporary memory

ISSUE DESCRIPTION When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of...

6.5CVSS1.5AI score0.00269EPSS
Exploits0
Xen Project
Xen Project
•added 2016/09/08 12:0 p.m.•36 views

x86: Disallow L3 recursive pagetable for 32-bit PV guests

ISSUE DESCRIPTION On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. The L3 entries are cached in processor registers, and don't actually form part of the pagewalk. When running a 32-bit PV guest o...

8.2CVSS0.2AI score0.00402EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/12/12 12:0 p.m.•35 views

arm32: The cache may not be properly cleaned/invalidated (take two)

ISSUE DESCRIPTION Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately, the...

3.3CVSS6.7AI score0.00241EPSS
Exploits0
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•35 views

Xenstore: Guests can create orphaned Xenstore nodes

ISSUE DESCRIPTION By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes...

5.5CVSS2.4AI score0.00264EPSS
Exploits0
Xen Project
Xen Project
•added 2022/01/25 12:0 p.m.•35 views

A PV guest could DoS Xen while unmapping a grant

ISSUE DESCRIPTION To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two...

5.5CVSS0.1AI score0.00336EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2025/02/27 12:53 p.m.•34 views

deadlock potential with VT-d and legacy PCI device pass-through

ISSUE DESCRIPTION When setting up interrupt remapping for legacy PCI-X devices, including PCI-X bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. IMPACT Th...

7.5CVSS6.7AI score0.00723EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•34 views

x86: unintended memory sharing between guests

ISSUE DESCRIPTION On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. IMPACT Guest...

7.1CVSS1.7AI score0.00226EPSS
Exploits0
Xen Project
Xen Project
•added 2017/02/23 4:28 p.m.•34 views

arm: memory corruption when freeing p2m pages

ISSUE DESCRIPTION When freeing pages used for stage-2 page tables, the freeing routine failed to remove these pages from an internally managed list they were put on during allocation. The same list node elements are also used by the hypervisor's page allocator. Subsequent manipulation of ARM's...

2.2AI score
Exploits0
Xen Project
Xen Project
•added 2024/11/12 12:0 p.m.•33 views

Deadlock in x86 HVM standard VGA handling

ISSUE DESCRIPTION The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the virtual VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a...

6.5CVSS7AI score0.00264EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•33 views

Xenstore: Guests can get access to Xenstore nodes of deleted domains

ISSUE DESCRIPTION Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later...

7CVSS0.4AI score0.0027EPSS
Exploits0
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•33 views

x86: insufficient reference counts during shadow emulation

ISSUE DESCRIPTION When using shadow paging, writes to guest pagetables must be trapped and emulated, so the shadows can be suitably adjusted as well. When emulating the write, Xen maps the guests pagetables to make the final adjustment and leave the guest's view of its state consistent. However,...

9CVSS7.1AI score0.01669EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2025/05/27 12:0 p.m.•33 views

WinPVDrivers: Excessive permissions on user-exposed devices

ISSUE DESCRIPTION The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464 IMPACT Unprivileged...

7.4AI score
Exploits0
Xen Project
Xen Project
•added 2024/12/17 12:0 p.m.•28 views

Backend can crash Linux netfront

ISSUE DESCRIPTION After a suspend/resume cycle of a Linux guest e.g. via "virsh dompmsuspend"/ "virsh dompmwakeup" a malicious network backend can crash the guest via a NULL-pointer dereference in the guest's xen-netfront driver. During the resume operation the xen-netfront driver will release so...

5.7CVSS6.5AI score0.00612EPSS
Exploits0
Xen Project
Xen Project
•added 2025/07/08 2:7 p.m.•27 views

x86: Transitive Scheduler Attacks

ISSUE DESCRIPTION Researchers from Microsoft and ETH Zurich have discovered several new speculative sidechannel attacks which bypass current protections. They are detailed in a paper titled "Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks". Two issues, whi...

5.6CVSS6.9AI score0.00425EPSS
Exploits0
Xen Project
Xen Project
•added 2024/07/16 12:0 p.m.•27 views

Xapi: Metadata injection attack against backup/restore functionality

ISSUE DESCRIPTION For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.htmlobject-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories SRs. The metadata itself is stored in a Virtual Disk...

3.8CVSS6.1AI score0.002EPSS
Exploits0
Xen Project
Xen Project
•added 2024/07/16 12:0 p.m.•27 views

double unlock in x86 guest IRQ handling

ISSUE DESCRIPTION An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different...

7.5CVSS6.3AI score0.00507EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/08/13 12:0 p.m.•26 views

PCI device pass-through with shared resources

ISSUE DESCRIPTION When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration canno...

7.5CVSS7.1AI score0.00235EPSS
Exploits0
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•26 views

Xenstore: Guests can crash xenstored via exhausting the stack

ISSUE DESCRIPTION Xenstored is using recursion for some Xenstore operations e.g. for deleting a sub-tree of Xenstore nodes. With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. IMPACT A malicious guest creating very deep nesting...

6.5CVSS2AI score0.00269EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/12/20 12:4 p.m.•25 views

frontends vulnerable to backends

ISSUE DESCRIPTION Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the...

1.5AI score
Exploits0
Xen Project
Xen Project
•added 2015/12/17 12:0 p.m.•24 views

ioreq handling possibly susceptible to multiple read issue

ISSUE DESCRIPTION Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device model fo...

2AI score
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/06/17 11:44 a.m.•24 views

unexpected pitfall in xenaccess API

ISSUE DESCRIPTION A test/example program, for exercising the Xen memaccess API, does not take all necessary precautions against hostile guest behaviour. As a result, software developers using it as an example or template might have written and deployed vulnerable code. See the patch for technical...

1.1AI score
Exploits0
Xen Project
Xen Project
•added 2015/11/25 3:29 p.m.•23 views

WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

ISSUE DESCRIPTION NOTE: This advisory has been withdrawn XSETBV is a privileged instruction, i.e. should result in GP when issued by code running at other than the most privileged level CPL 0. Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check do...

1.4AI score
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/01/27 12:0 p.m.•22 views

x86: incomplete IBPB for vCPU isolation

ISSUE DESCRIPTION In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1 vCPU runs on CP...

2.9CVSS5.9AI score0.00129EPSS
Exploits0
Xen Project
Xen Project
•added 2024/11/12 12:0 p.m.•22 views

libxl leaks data to PVH guests via ACPI tables

ISSUE DESCRIPTION PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is...

5.5CVSS5.9AI score0.00294EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/09/24 12:0 p.m.•21 views

x86: Deadlock in vlapic_error()

ISSUE DESCRIPTION In x86's APIC Advanced Programmable Interrupt Controller architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which...

7.3CVSS7AI score0.00544EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/08/13 12:0 p.m.•21 views

error handling in x86 IOMMU identity mapping

ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR" for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose...

7.5CVSS7.5AI score0.00234EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2025/09/09 12:0 p.m.•20 views

Mutiple vulnerabilities in the Viridian interface

ISSUE DESCRIPTION There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a...

9.8CVSS6.5AI score0.00435EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2025/05/12 5:5 p.m.•20 views

x86: Indirect Target Selection

ISSUE DESCRIPTION Researchers at VU Amsterdam have released Training Solo, detailing several speculative attacks which bypass current protections. One issue, which Intel have named Indirect Target Selection, is a bug in the hardware support for prediction-domain isolation. The mitigation for this...

5.7CVSS7AI score0.00371EPSS
Exploits0
Xen Project
Xen Project
•added 2013/12/10 12:0 p.m.•19 views

Disaggregated domain management security status

ISSUE DESCRIPTION Xen supports disaggregation of various support and management functions into their own domains; this is often done for security and robustness reasons. In Xen 4.3 additional functionality was introduced to allow further disaggregation: the Xen Security Modules mechanism was...

0.7AI score
Exploits0
Xen Project
Xen Project
•added 2015/11/24 5:12 p.m.•18 views

virtual PMU is unsupported

ISSUE DESCRIPTION The Virtual Performance Measurement Unit feature has been documented as unsupported, so far only on Intel CPUs. Further issues have been found or are suspected which would also or exclusively affect AMD CPUs. We believe that the functionality is mostly intended for non-productio...

0.2AI score
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/06/09 12:0 p.m.•17 views

Arm: Completion of memory accesses not guaranteed by completion of a TLBI

ISSUE DESCRIPTION A hardware issue has been identified in certain Arm CPU designs. A broadcast TLBI on one PE may complete before affected memory accesses on another PE are globally observed. This may permit bypass of Stage 1 translation, Stage 2 translation, or GPT protection. The erratum occurs...

9.1CVSS5.4AI score0.00474EPSS
Exploits0
Xen Project
Xen Project
•added 2026/06/09 12:0 p.m.•16 views

domctl lock open to abuse

ISSUE DESCRIPTION To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is,...

6.5CVSS5.5AI score0.002EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/04/28 12:0 p.m.•16 views

Linux kernel double free in Xen privcmd driver

ISSUE DESCRIPTION The Linux kernel's privcmd driver can be abused to circumvent kernel lockdown secure boot by causing a double free of kernel memory. Note that this operation can be performed by root only, so any further impact on the system like denial of service is not security relevant. IMPAC...

7.8CVSS5.3AI score0.00183EPSS
Exploits0
Xen Project
Xen Project
•added 2011/08/12 11:27 a.m.•16 views

Xen DoS using IOMMU faults from PCI-passthrough guest

ISSUE DESCRIPTION A VM that controls a PCIE device directly can cause it to issue DMA requests to invalid addresses. Although these requests are denied by the IOMMU, the hypervisor needs to handle the interrupt and clear the error from the IOMMU, and this can be used to live-lock a CPU and...

4.6CVSS5.8AI score0.0044EPSS
Exploits1
Xen Project
Xen Project
•added 2026/06/09 12:0 p.m.•15 views

x86: mismatched mapcache metadata

ISSUE DESCRIPTION Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the mapcache. IMPACT Privilege escalation, Denial of...

8.1CVSS5.5AI score0.00353EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2026/06/09 12:0 p.m.•15 views

x86 HVM I/O port list traversal

ISSUE DESCRIPTION HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model via XENDOMCTLioportmapping, and hence the linked list used may changed at any time. Traversal of those lists while handling guest I/O port accesses...

7.9CVSS5.5AI score0.00095EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2025/09/09 12:0 p.m.•14 views

Arm issues with page refcounting

ISSUE DESCRIPTION There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held...

7.5CVSS6.5AI score0.0042EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/03/10 12:0 p.m.•14 views

Non-standard PCI device functionality may render pass-through insecure

ISSUE DESCRIPTION Devices with capabilities or defects that are undocumented or that virtualization software is unaware of may allow guests to control parts of the host that they shouldn't be in control of. Here are some examples of the kind of problem: While XSA-120 deals with standard PCI confi...

0.5AI score
Exploits0
Xen Project
Xen Project
•added 2013/05/30 4:36 p.m.•14 views

guest denial of service on syscall/sysenter exception generation

ISSUE DESCRIPTION When guest user code running inside a Xen guest operating system attempts to execute a syscall or sysenter instruction, but when the guest operating system has not registered a handler for that instruction, a General Protection Fault may need to be injected into the guest. It ha...

1.9CVSS5.9AI score0.00397EPSS
Exploits0
Xen Project
Xen Project
•added 2026/05/12 4:2 p.m.•13 views

x86: CPU Opcode Cache corruption

ISSUE DESCRIPTION AMD have disclosed a potential vulnerability in certain CPUs which can cause instructions to execute at a higher privilege. For more information, see: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html IMPACT Code of any privilege could escalate to a...

7.3CVSS5.9AI score0.00258EPSS
Exploits0
Xen Project
Xen Project
•added 2025/07/01 12:0 p.m.•13 views

x86: Incorrect stubs exception handling for flags recovery

ISSUE DESCRIPTION Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional...

4.3CVSS6.7AI score0.00554EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/02/22 5:42 p.m.•13 views

Withdrawn Xen Security Advisory number

DESCRIPTION XSA-283 stated: VT-d: Incorrect accesses into the Interrupt Remapping table A VT-d IOMMU has several tables in main RAM, which are configured by the driver when it starts. The tables are required to be aligned on a 4k boundary, and the control registers in the IOMMU which point to the...

0.7AI score
Exploits0
Xen Project
Xen Project
•added 2012/11/13 11:56 a.m.•13 views

Xen domain builder Out-of-memory due to malicious kernel/ramdisk

ISSUE DESCRIPTION The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk either before or after decompression. This could cause the toolstack to consume all available RAM in the domain running the domain builder. CVE-2012-4544 Additionally, under similar...

2.7CVSS7.2AI score0.00923EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/11/13 11:56 a.m.•13 views

Memory mapping failure DoS vulnerability

ISSUE DESCRIPTION When setp2mentry fails, Xen's internal data structures the p2m and m2p tables can get out of sync. This failure can be triggered by unusual guest behaviour exhausting the memory reserved for the p2m table. If it happens, subsequent guest-invoked memory operations can cause Xen t...

2.1CVSS7.2AI score0.00433EPSS
Exploits0
Xen Project
Xen Project
•added 2012/09/06 2:13 p.m.•13 views

guest administrator can access qemu monitor console

ISSUE DESCRIPTION A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT A malicious guest administrator can access host resources perhaps belonging to other guests or the underlying...

4.6CVSS7.1AI score0.00379EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/09/05 9:14 a.m.•13 views

grant table entry swaps have inadequate bounds checking

ISSUE DESCRIPTION The grant table hypercall's GNTTABOPswapgrantref sub-operation does not perform adequate checks on the input grant references. IMPACT A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they...

6.9CVSS5.9AI score0.00356EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/09/05 9:10 a.m.•13 views

multiple TMEM hypercall vulnerabilities

ISSUE DESCRIPTION Several sub-operations of the Transcendent Memory TMEM hypercall either do not correctly validate their inputs, do not correctly validate the privilege of the calling guest, or have other security-relevant bugs. A full list of the vulnerabilities in the TMEM system is not...

6.9CVSS7.2AI score0.00396EPSS
Exploits0
Total number of security vulnerabilities482