CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
49.3%
When a graphics update command gets passed to the VGA emulator, there are 3 possible modes that can be used to update the display:
A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process.
All versions of Xen are vulnerable.
Only HVM guests with the Cirrus video card are vulnerable. (The Cirrus video card is the default.) Both qemu-upstream and qemu-traditional are vulnerable.
For HVM guests with the device model running in a stub domain, “the privileges of the device model process” are identical to those of the guest kernel. But the ability of a userspace process to trigger this vulnerability via legitimate commands to the kernel driver (thus elevating its privileges to that of the guest kernel) cannot be ruled out.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
49.3%