3.2 Low
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:S/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
29.0%
The HVMOP_set_mem_access operation handler uses an input as an array index before range checking it.
A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the default access through the HVMOP_get_mem_access operation, thus causing an information leak. The caller cannot, however, directly control the address from which to read, since the value read in the first step will be used as an array index again in the second step.
Only Xen version 4.1 is vulnerable.
The vulnerability is only exposed to HVM guests.