CVE-2022-26362
Gentoo Linux Security Advisory 202208-23
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited.
x86 pv: Una condición de carrera en la adquisición de typeref Xen mantiene un recuento de referencias de tipo para las páginas, además de un recuento de referencias regular. Este esquema es usado para mantener invariantes requeridos para la seguridad de Xen, por ejemplo, los huéspedes PV no pueden tener acceso directo de escritura a las tablas de páginas; las actualizaciones necesitan ser auditadas por Xen. Desafortunadamente, la lógica para adquirir una referencia de tipo presenta una condición de carrera, por la cual un vaciado seguro de la TLB es emitido demasiado pronto y crea una ventana donde el huésped puede restablecer el mapeo de lectura/escritura antes de que sea prohibida la escritura
Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation. In addition this updates provides mitigations for the "Retbleed" speculative execution attack and the "MMIO stale data" vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-03-02 CVE Reserved
- 2022-06-09 CVE Published
- 2022-07-11 First Exploit
- 2023-09-14 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html | Third Party Advisory |
|
| http://www.openwall.com/lists/oss-security/2022/06/09/3 | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/167718 | 2022-07-11 |
| URL | Date | SRC |
|---|---|---|
| http://xenbits.xen.org/xsa/advisory-401.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | * | x86 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||