8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
25.5%
The shadow pagetable code uses linear mappings to inspect and modify the shadow pagetables. A linear mapping which points back to itself is known as self-linear. For translated guests, the shadow linear mappings (being in a separate address space) are not intended to be self-linear. For non-translated guests, the shadow linear mappings (being the same address space) are intended to be self-linear.
When constructing a monitor pagetable for Xen to run on a vcpu with, the shadow linear slot is filled with a self-linear mapping, and for translated guests, shortly thereafter replaced with a non-self-linear mapping, when the guest’s %cr3 is shadowed.
However when writeable heuristics are used, the shadow mappings are used as part of shadowing %cr3, causing the heuristics to be applied to Xen’s pagetables, not the guest shadow pagetables.
While investigating, it was also identified that PV auto-translate mode was insecure. This mode was removed in Xen 4.7 due to being unused, unmaintained and presumed broken. We are not aware of any guest implementation of PV auto-translate mode.
A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host, or cause hypervisor memory corruption. We cannot rule out a guest being able to escalate its privilege.
All versions of Xen are vulnerable.
HVM guests using shadow mode paging can exploit this vulnerability. HVM guests using Hardware Assisted Paging (HAP) as well as PV guests cannot exploit this vulnerability.
ARM systems are not vulnerable.
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
25.5%