8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.3%
The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggle between the states connect and disconnect.
As a consequence, the block backend may re-use a pointer after it was freed.
A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privileged escalation and information leak cannot be ruled out.
Systems using Linux blkback are vulnerable. This includes most systems with a Linux dom0, or Linux driver domains.
Linux versions containing a24fa22ce22a (“xen/blkback: don’t use xen_blkif_get() in xen-blkback kthread”), or its backports, are vulnerable. This includes all current linux-stable branches back to at least linux-stable/linux-4.4.y.
When the Xen PV block backend is provided by userspace (eg qemu), that backend is not vulnerable. So configurations where the xl.cfg domain configuration file specifies all disks with backendtype=“qdisk” are not vulnerable.
The Linux blkback only supports raw format images, so when all disks have a format than format=“raw”, the system is not vulnerable.
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.3%