482 matches found
Another race in XENMAPSPACE_grant_table handling
ISSUE DESCRIPTION Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches back from v2 to v1. Freeing such pages...
memory leak when destroying guest without PT devices
ISSUE DESCRIPTION Certain internal state is set up, during domain construction, in preparation for possible pass-through device assignment. On ARM and AMD V-i hardware this setup includes memory allocation. On guest teardown, cleanup was erroneously only performed when the guest actually had a...
PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
ISSUE DESCRIPTION The PHYSDEVOPprepare,releasemsix operations are supposed to be available to privileged guests domain 0 in non-disaggregated setups only, but the necessary privilege check was missing. IMPACT Malicious or misbehaving unprivileged guests can cause the host or other guests to...
Xenstore: Guests can cause Xenstore to not free temporary memory
ISSUE DESCRIPTION When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of...
x86: Disallow L3 recursive pagetable for 32-bit PV guests
ISSUE DESCRIPTION On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. The L3 entries are cached in processor registers, and don't actually form part of the pagewalk. When running a 32-bit PV guest o...
arm32: The cache may not be properly cleaned/invalidated (take two)
ISSUE DESCRIPTION Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately, the...
Xenstore: Guests can create orphaned Xenstore nodes
ISSUE DESCRIPTION By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes...
A PV guest could DoS Xen while unmapping a grant
ISSUE DESCRIPTION To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two...
deadlock potential with VT-d and legacy PCI device pass-through
ISSUE DESCRIPTION When setting up interrupt remapping for legacy PCI-X devices, including PCI-X bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. IMPACT Th...
x86: unintended memory sharing between guests
ISSUE DESCRIPTION On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. IMPACT Guest...
arm: memory corruption when freeing p2m pages
ISSUE DESCRIPTION When freeing pages used for stage-2 page tables, the freeing routine failed to remove these pages from an internally managed list they were put on during allocation. The same list node elements are also used by the hypervisor's page allocator. Subsequent manipulation of ARM's...
Deadlock in x86 HVM standard VGA handling
ISSUE DESCRIPTION The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the virtual VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a...
Xenstore: Guests can get access to Xenstore nodes of deleted domains
ISSUE DESCRIPTION Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later...
x86: insufficient reference counts during shadow emulation
ISSUE DESCRIPTION When using shadow paging, writes to guest pagetables must be trapped and emulated, so the shadows can be suitably adjusted as well. When emulating the write, Xen maps the guests pagetables to make the final adjustment and leave the guest's view of its state consistent. However,...
WinPVDrivers: Excessive permissions on user-exposed devices
ISSUE DESCRIPTION The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464 IMPACT Unprivileged...
Backend can crash Linux netfront
ISSUE DESCRIPTION After a suspend/resume cycle of a Linux guest e.g. via "virsh dompmsuspend"/ "virsh dompmwakeup" a malicious network backend can crash the guest via a NULL-pointer dereference in the guest's xen-netfront driver. During the resume operation the xen-netfront driver will release so...
x86: Transitive Scheduler Attacks
ISSUE DESCRIPTION Researchers from Microsoft and ETH Zurich have discovered several new speculative sidechannel attacks which bypass current protections. They are detailed in a paper titled "Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks". Two issues, whi...
Xapi: Metadata injection attack against backup/restore functionality
ISSUE DESCRIPTION For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.htmlobject-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories SRs. The metadata itself is stored in a Virtual Disk...
double unlock in x86 guest IRQ handling
ISSUE DESCRIPTION An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different...
PCI device pass-through with shared resources
ISSUE DESCRIPTION When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration canno...
Xenstore: Guests can crash xenstored via exhausting the stack
ISSUE DESCRIPTION Xenstored is using recursion for some Xenstore operations e.g. for deleting a sub-tree of Xenstore nodes. With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. IMPACT A malicious guest creating very deep nesting...
frontends vulnerable to backends
ISSUE DESCRIPTION Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the...
ioreq handling possibly susceptible to multiple read issue
ISSUE DESCRIPTION Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device model fo...
unexpected pitfall in xenaccess API
ISSUE DESCRIPTION A test/example program, for exercising the Xen memaccess API, does not take all necessary precautions against hostile guest behaviour. As a result, software developers using it as an example or template might have written and deployed vulnerable code. See the patch for technical...
WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM
ISSUE DESCRIPTION NOTE: This advisory has been withdrawn XSETBV is a privileged instruction, i.e. should result in GP when issued by code running at other than the most privileged level CPL 0. Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check do...
x86: incomplete IBPB for vCPU isolation
ISSUE DESCRIPTION In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1 vCPU runs on CP...
libxl leaks data to PVH guests via ACPI tables
ISSUE DESCRIPTION PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is...
x86: Deadlock in vlapic_error()
ISSUE DESCRIPTION In x86's APIC Advanced Programmable Interrupt Controller architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which...
error handling in x86 IOMMU identity mapping
ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR" for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose...
Mutiple vulnerabilities in the Viridian interface
ISSUE DESCRIPTION There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a...
x86: Indirect Target Selection
ISSUE DESCRIPTION Researchers at VU Amsterdam have released Training Solo, detailing several speculative attacks which bypass current protections. One issue, which Intel have named Indirect Target Selection, is a bug in the hardware support for prediction-domain isolation. The mitigation for this...
Disaggregated domain management security status
ISSUE DESCRIPTION Xen supports disaggregation of various support and management functions into their own domains; this is often done for security and robustness reasons. In Xen 4.3 additional functionality was introduced to allow further disaggregation: the Xen Security Modules mechanism was...
virtual PMU is unsupported
ISSUE DESCRIPTION The Virtual Performance Measurement Unit feature has been documented as unsupported, so far only on Intel CPUs. Further issues have been found or are suspected which would also or exclusively affect AMD CPUs. We believe that the functionality is mostly intended for non-productio...
Arm: Completion of memory accesses not guaranteed by completion of a TLBI
ISSUE DESCRIPTION A hardware issue has been identified in certain Arm CPU designs. A broadcast TLBI on one PE may complete before affected memory accesses on another PE are globally observed. This may permit bypass of Stage 1 translation, Stage 2 translation, or GPT protection. The erratum occurs...
domctl lock open to abuse
ISSUE DESCRIPTION To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is,...
Linux kernel double free in Xen privcmd driver
ISSUE DESCRIPTION The Linux kernel's privcmd driver can be abused to circumvent kernel lockdown secure boot by causing a double free of kernel memory. Note that this operation can be performed by root only, so any further impact on the system like denial of service is not security relevant. IMPAC...
Xen DoS using IOMMU faults from PCI-passthrough guest
ISSUE DESCRIPTION A VM that controls a PCIE device directly can cause it to issue DMA requests to invalid addresses. Although these requests are denied by the IOMMU, the hypervisor needs to handle the interrupt and clear the error from the IOMMU, and this can be used to live-lock a CPU and...
x86: mismatched mapcache metadata
ISSUE DESCRIPTION Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the mapcache. IMPACT Privilege escalation, Denial of...
x86 HVM I/O port list traversal
ISSUE DESCRIPTION HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model via XENDOMCTLioportmapping, and hence the linked list used may changed at any time. Traversal of those lists while handling guest I/O port accesses...
Arm issues with page refcounting
ISSUE DESCRIPTION There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held...
Non-standard PCI device functionality may render pass-through insecure
ISSUE DESCRIPTION Devices with capabilities or defects that are undocumented or that virtualization software is unaware of may allow guests to control parts of the host that they shouldn't be in control of. Here are some examples of the kind of problem: While XSA-120 deals with standard PCI confi...
guest denial of service on syscall/sysenter exception generation
ISSUE DESCRIPTION When guest user code running inside a Xen guest operating system attempts to execute a syscall or sysenter instruction, but when the guest operating system has not registered a handler for that instruction, a General Protection Fault may need to be injected into the guest. It ha...
x86: CPU Opcode Cache corruption
ISSUE DESCRIPTION AMD have disclosed a potential vulnerability in certain CPUs which can cause instructions to execute at a higher privilege. For more information, see: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html IMPACT Code of any privilege could escalate to a...
x86: Incorrect stubs exception handling for flags recovery
ISSUE DESCRIPTION Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional...
Withdrawn Xen Security Advisory number
DESCRIPTION XSA-283 stated: VT-d: Incorrect accesses into the Interrupt Remapping table A VT-d IOMMU has several tables in main RAM, which are configured by the driver when it starts. The tables are required to be aligned on a 4k boundary, and the control registers in the IOMMU which point to the...
Xen domain builder Out-of-memory due to malicious kernel/ramdisk
ISSUE DESCRIPTION The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk either before or after decompression. This could cause the toolstack to consume all available RAM in the domain running the domain builder. CVE-2012-4544 Additionally, under similar...
Memory mapping failure DoS vulnerability
ISSUE DESCRIPTION When setp2mentry fails, Xen's internal data structures the p2m and m2p tables can get out of sync. This failure can be triggered by unusual guest behaviour exhausting the memory reserved for the p2m table. If it happens, subsequent guest-invoked memory operations can cause Xen t...
guest administrator can access qemu monitor console
ISSUE DESCRIPTION A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT A malicious guest administrator can access host resources perhaps belonging to other guests or the underlying...
grant table entry swaps have inadequate bounds checking
ISSUE DESCRIPTION The grant table hypercall's GNTTABOPswapgrantref sub-operation does not perform adequate checks on the input grant references. IMPACT A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they...
multiple TMEM hypercall vulnerabilities
ISSUE DESCRIPTION Several sub-operations of the Transcendent Memory TMEM hypercall either do not correctly validate their inputs, do not correctly validate the privilege of the calling guest, or have other security-relevant bugs. A full list of the vulnerabilities in the TMEM system is not...