| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-29901 |
668 |
|
Exec Code Bypass |
2022-07-12 |
2022-12-24 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. |
|
2 |
CVE-2020-25604 |
362 |
|
DoS |
2020-09-23 |
2022-09-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability. |
|
3 |
CVE-2018-10472 |
200 |
|
+Info |
2018-04-27 |
2018-10-31 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot. |
|
4 |
CVE-2017-7995 |
200 |
|
+Info |
2017-05-03 |
2017-05-15 |
1.7 |
None |
Local |
Low |
??? |
Partial |
None |
None |
|
Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL. |
|
5 |
CVE-2016-7094 |
119 |
|
DoS Overflow |
2016-09-21 |
2017-07-01 |
1.5 |
None |
Local |
Medium |
??? |
None |
None |
Partial |
|
Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update. |
|
6 |
CVE-2016-4963 |
284 |
|
DoS |
2016-06-07 |
2018-09-07 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore. |
|
7 |
CVE-2016-3159 |
200 |
|
+Info |
2016-04-13 |
2019-02-21 |
1.7 |
None |
Local |
Low |
??? |
Partial |
None |
None |
|
The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. |
|
8 |
CVE-2016-3158 |
200 |
|
+Info |
2016-04-13 |
2016-12-03 |
1.7 |
None |
Local |
Low |
??? |
Partial |
None |
None |
|
The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. |
|
9 |
CVE-2015-8552 |
20 |
|
DoS |
2016-04-13 |
2017-11-04 |
1.7 |
None |
Local |
Low |
??? |
None |
None |
Partial |
|
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks." |
|
10 |
CVE-2015-2152 |
264 |
|
|
2015-03-18 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support. |
|
11 |
CVE-2014-8595 |
17 |
|
DoS +Priv |
2014-11-19 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. |
|
12 |
CVE-2014-3716 |
20 |
|
DoS |
2014-05-19 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel. |
|
13 |
CVE-2013-4369 |
|
|
DoS |
2013-10-17 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL pointer dereference) by using the "@" character as the VIF rate configuration. |
|
14 |
CVE-2013-4368 |
200 |
|
+Info |
2013-10-17 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. |
|
15 |
CVE-2013-4355 |
200 |
|
+Info |
2013-10-01 |
2017-01-07 |
1.5 |
None |
Local |
Medium |
??? |
Partial |
None |
None |
|
Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. |
|
16 |
CVE-2013-1952 |
20 |
|
DoS |
2013-05-13 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. |
|
17 |
CVE-2013-1917 |
20 |
|
DoS |
2013-05-13 |
2014-04-19 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. |
|
18 |
CVE-2013-1442 |
200 |
|
+Info |
2013-09-30 |
2017-01-07 |
1.2 |
None |
Local |
High |
Not required |
Partial |
None |
None |
|
Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. |
|
19 |
CVE-2013-0154 |
|
|
DoS |
2013-01-12 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall. |
|
20 |
CVE-2012-4535 |
399 |
|
DoS |
2012-11-21 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate deadline." |
|
21 |
CVE-2012-3432 |
264 |
|
DoS |
2012-12-03 |
2013-10-11 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service (guest OS crash) via unspecified operations on MMIO regions. |
|
22 |
CVE-2012-2934 |
|
|
DoS |
2012-12-03 |
2014-05-05 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, does not properly protect against a certain AMD processor bug, which allows local guest OS users to cause a denial of service (host hang) via sequential execution of instructions across a non-canonical boundary, a different vulnerability than CVE-2012-0217. |
|
23 |
CVE-2012-0218 |
|
|
DoS |
2012-12-03 |
2013-10-11 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler for a syscall or sysenter instruction, does not properly clear a flag for exception injection when injecting a General Protection Fault, which allows local PV guest OS users to cause a denial of service (guest crash) by later triggering an exception that would normally be handled within Xen. |
