7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
25.6%
The grant table code in Xen has a bespoke semi-lockfree allocator for recording grant mappings (“maptrack” entries). This allocator has a race which allows the free list to be corrupted.
Specifically: the code for removing an entry from the free list, prior to use, assumes (without locking) that if inspecting head item shows that it is not the tail, it will continue to not be the tail of the list if it is later found to be still the head and removed with cmpxchg. But the entry might have been removed and replaced, with the result that it might be the tail by then. (The invariants for the semi-lockfree data structure were never formally documented.)
Additionally, a stolen entry is put on the free list with an incorrect link field, which will very likely corrupt the list.
A malicious guest administrator can crash the host, and can probably escalate their privilege to that of the host.
Xen 4.6 and later are vulnerable.
Xen 4.5 and earlier are not vulnerable.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
25.6%