6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
19.9%
Modern superscalar processors may employ sophisticated decoding and caching of the instruction stream to improve performance. However, a consequence is that self-modifying code updates may not take effect instantly.
Whatever the architectural guarantees, some CPUs have microarchitectural behaviour whereby the stale instruction stream may be speculatively decoded and executed.
Speculation of this form can suffer from type confusion in registers, and potentially leak data.
For more details, see: <a href=โhttps://www.vusec.net/projects/fpvi-scsbโ>https://www.vusec.net/projects/fpvi-scsb</a> <a href=โhttps://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1003โ>https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1003</a> <a href=โhttps://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/speculative-code-store-bypass.htmlโ>https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/speculative-code-store-bypass.html</a> <a href=โhttps://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/floating-point-value-injection.htmlโ>https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/floating-point-value-injection.html</a> <a href=โhttps://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#scsbโ>https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#scsb</a> <a href=โhttps://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#fvpiโ>https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#fvpi</a>
In attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
Systems running all versions of Xen are affected.
Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor.
Xen running on ARM does not have runtime self-modying code, so is believed to be not vulnerable, irrespective of any hardware susceptibility.
Xen running on x86 does have runtime self-modying code as part of emulation, and is believed to be potentially vulnerable.
Xen is not vulnerable if retpoline or lfence mitigations for Spectre v2 protection are active. Protections depend on compiler support (as indicated by INDIRECT_THUNK), and a runtime setting (BTI-Thunk):
BTI-Thunk as either RETPOLINE or LFENCE prevents the vulnerability.
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
19.9%