7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.4%
When adding a passed-through PCI device to a domain after it was already started, IOMMU page tables may need constructing on the fly. For PV guests the decision whether a page ought to have a mapping is based on whether the page is writable, to prevent IOMMU access to things like page tables. Writablility of a page may, however, change at any time. Failure of the relevant code to respect this possible race may lead to IOMMU mappings of, in particular, page tables, allowing the guest to alter such page tables without Xen auditing the changes.
Malicious PV guests can escalate their privilege to that of the hypervisor.
All versions of Xen are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability.
Only guests which are assigned a device after domain creation can exploit this vulnerability. Guests which are not assigned devices, or guests assigned devices at domain creation time, cannot exploit this vulnerability.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.4%