4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.001 Low
EPSS
Percentile
26.0%
Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn’t check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf of the guest.
Malicious or buggy unprivileged user space can cause the entire host to crash.
Xen 4.1 and onwards are vulnerable when run on systems with processors supporting XSAVE. Only PV guests can exploit the vulnerability.
In Xen 4.1 XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the “xsave” hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable. In particular, Xen 4.0.x is not vulnerable because XSAVE support there covers only HVM guests.