8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
6.1 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
0.001 Low
EPSS
Percentile
25.6%
Grant tables come in two flavors (versions), and domains are permitted to freely change between them (subject to certain constraints). For the guest to use the facility, both the “normal” shared pages (applicable to v1 and v2) and the “status” pages (applicable to v2 only) need to be mapped by the guest into its address space.
When transitioning from v2 to v1, the status pages become unnecessary and are therefore freed by Xen. That means Xen needs to check that there are no mappings of those pages by the domain. However, that check was mistakenly implemented as a bug check, rather than returning an error to the guest.
A malicious or buggy guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation as well as information leaks cannot be ruled out for HVM, PVH (both x86), and ARM guests.
The impact is more severe for Xen versions 4.0.x, 4.1.0 … 4.1.3, and 4.2 in that the pages are freed without any checking, thus allowing their re-use for another domain, or by Xen itself, while there still are active mappings (see XSA-26).
Xen versions 4.0 and newer are vulnerable.
Both x86 and ARM systems are vulnerable.
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
6.1 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
0.001 Low
EPSS
Percentile
25.6%