7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.3%
To efficiently change the physical to machine address mappings of a larger range of addresses for fully virtualized guests, Xen contains an optimization to coalesce per-page IOMMU TLB flushes into a single, wider flush after all adjustments have been made. While this is fine to do for newly introduced page mappings, the possible removal of pages from such guests during this operation should not be “optimized” in the same way. This is because the (typically) final reference of such pages is dropped before the coalesced flush, and hence the pages may have been put to a different use even though DMA initiated by their original owner mightstill be in progress.
A malicious guest might be able to cause data corruption and data leaks. Host or guest Denial of Service (DoS), and privilege escalation, cannot be ruled out.
All Xen versions from 4.2 onwards are vulnerable. Xen versions 4.1 and earlier are not vulnerable.
Only x86 HVM and PVH guests can leverage the vulnerability. Arm guests as well as x86 PV ones cannot leverage the vulnerability.
Only x86 HVM and PVH guests which have physical devices passed through to them can leverage the vulnerability.
Only x86 HVM and PVH guests configured to not share IOMMU and CPU page tables can leverage the vulnerability. Sharing these page tables is the default on capable Intel (VT-d) hardware. On AMD hardware sharing is not possible. On Intel (VT-d) hardware sharing may also not be possible, depending on hardware properties. Whether it is possible can be seen from the presence (or absence) of “iommu_hap_pt_share” on the “virt_caps” line of “xl info” output. Guests run in shadow mode can leverage the vulnerability.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.3%