CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46837 – arm32: The cache may not be properly cleaned/invalidated (take two)
https://notcve.org/view.php?id=CVE-2023-46837
05 Jan 2024 — Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-4... • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34328 – x86/AMD: Debug Mask handling
https://notcve.org/view.php?id=CVE-2023-34328
05 Jan 2024 — [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over... • https://xenbits.xenproject.org/xsa/advisory-444.html •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34323 – xenstored: A transaction conflict can crash C Xenstored
https://notcve.org/view.php?id=CVE-2023-34323
05 Jan 2024 — When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). Cuando se confirma una transacción, C Xenstored ... • https://xenbits.xenproject.org/xsa/advisory-440.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34322 – top-level shadow reference dropped too early for 64-bit PV guests
https://notcve.org/view.php?id=CVE-2023-34322
05 Jan 2024 — For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shado... • https://xenbits.xenproject.org/xsa/advisory-438.html • CWE-273: Improper Check for Dropped Privileges •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34321 – arm32: The cache may not be properly cleaned/invalidated
https://notcve.org/view.php?id=CVE-2023-34321
05 Jan 2024 — Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. Arm proporciona múltiples ayudas para limpiar e invalidar ... • https://xenbits.xenproject.org/xsa/advisory-437.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42331 – Debian Security Advisory 5378-1
https://notcve.org/view.php?id=CVE-2022-42331
21 Mar 2023 — x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. Multiple vulnerabilities have been found in Xen, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 4.16.6_pre1 are affected. • http://www.openwall.com/lists/oss-security/2023/03/21/3 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2022-26356 – Gentoo Linux Security Advisory 202402-07
https://notcve.org/view.php?id=CVE-2022-26356
05 Apr 2022 — Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between ... • http://www.openwall.com/lists/oss-security/2022/04/05/1 • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23034 – Gentoo Linux Security Advisory 202208-23
https://notcve.org/view.php?id=CVE-2022-23034
25 Jan 2022 — A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check... • http://www.openwall.com/lists/oss-security/2022/01/25/3 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28703 – Gentoo Linux Security Advisory 202402-07
https://notcve.org/view.php?id=CVE-2021-28703
07 Dec 2021 — grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing re... • https://security.gentoo.org/glsa/202402-07 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-28705 – Gentoo Linux Security Advisory 202402-07
https://notcve.org/view.php?id=CVE-2021-28705
24 Nov 2021 — issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 numbe... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT • CWE-755: Improper Handling of Exceptional Conditions •