Total
468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42327 | 2 Fedoraproject, Xen | 2 Fedora, Xen | 2025-05-05 | N/A | 7.1 HIGH |
| x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. | |||||
| CVE-2022-42318 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2025-05-05 | N/A | 6.5 MEDIUM |
| Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction | |||||
| CVE-2022-21166 | 5 Debian, Fedoraproject, Intel and 2 more | 7 Debian Linux, Fedora, Sgx Dcap and 4 more | 2025-05-05 | 2.1 LOW | 5.5 MEDIUM |
| Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-21125 | 5 Debian, Fedoraproject, Intel and 2 more | 7 Debian Linux, Fedora, Sgx Dcap and 4 more | 2025-05-05 | 2.1 LOW | 5.5 MEDIUM |
| Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-21123 | 5 Debian, Fedoraproject, Intel and 2 more | 7 Debian Linux, Fedora, Sgx Dcap and 4 more | 2025-05-05 | 2.1 LOW | 5.5 MEDIUM |
| Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-21127 | 3 Debian, Intel, Xen | 5 Debian Linux, Sgx Dcap, Sgx Psw and 2 more | 2025-05-05 | 2.1 LOW | 5.5 MEDIUM |
| Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-42326 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2025-05-05 | N/A | 5.5 MEDIUM |
| Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. | |||||
| CVE-2023-34321 | 1 Xen | 1 Xen | 2025-04-17 | N/A | 3.3 LOW |
| Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. | |||||
| CVE-2023-20593 | 3 Amd, Debian, Xen | 140 Athlon Gold 7220u, Athlon Gold 7220u Firmware, Epyc 7232p and 137 more | 2025-02-13 | N/A | 5.5 MEDIUM |
| An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. | |||||
| CVE-2022-42336 | 1 Xen | 1 Xen | 2025-01-22 | N/A | 3.3 LOW |
| Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active. | |||||
| CVE-2023-20588 | 5 Amd, Debian, Fedoraproject and 2 more | 78 Athlon Gold 3150g, Athlon Gold 3150g Firmware, Athlon Gold 3150ge and 75 more | 2024-06-10 | N/A | 5.5 MEDIUM |
| A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. | |||||
| CVE-2021-28039 | 3 Linux, Netapp, Xen | 4 Linux Kernel, Cloud Backup, Solidfire Baseboard Management Controller Firmware and 1 more | 2024-03-25 | 2.1 LOW | 6.5 MEDIUM |
| An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG. | |||||
| CVE-2021-28704 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | 6.9 MEDIUM | 8.8 HIGH |
| PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). | |||||
| CVE-2021-28705 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | 6.9 MEDIUM | 7.8 HIGH |
| issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.) | |||||
| CVE-2021-28706 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | 7.8 HIGH | 8.6 HIGH |
| guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound. | |||||
| CVE-2022-42330 | 1 Xen | 1 Xen | 2024-02-04 | N/A | 7.5 HIGH |
| Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XS_RELEASE will have the same impact. | |||||
| CVE-2022-42325 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | N/A | 5.5 MEDIUM |
| Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. | |||||
| CVE-2022-42333 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | N/A | 8.6 HIGH |
| x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334). | |||||
| CVE-2022-42323 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | N/A | 5.5 MEDIUM |
| Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. | |||||
| CVE-2022-42324 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-02-04 | N/A | 5.5 MEDIUM |
| Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder. This in turn can feed a negative value into logic not expecting a negative value, resulting in unexpected exceptions being thrown. The unexpected exception is not handled suitably, creating a busy-loop trying (and failing) to take the bad packet out of the xenstore ring. | |||||