| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-14678 |
264 |
|
DoS +Priv |
2018-07-28 |
2018-10-04 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges. |
|
2 |
CVE-2018-10982 |
264 |
|
DoS +Priv |
2018-05-10 |
2018-10-31 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. |
|
3 |
CVE-2018-8897 |
264 |
|
|
2018-05-08 |
2018-11-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. |
|
4 |
CVE-2017-17045 |
264 |
|
DoS +Priv +Info |
2017-11-28 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors. |
|
5 |
CVE-2017-15595 |
400 |
|
DoS +Priv |
2017-10-18 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking. |
|
6 |
CVE-2017-15592 |
264 |
|
DoS +Priv |
2017-10-18 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests. |
|
7 |
CVE-2017-14319 |
264 |
|
|
2017-09-12 |
2018-10-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A grant unmapping issue was discovered in Xen through 4.9.x. When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account. |
|
8 |
CVE-2017-14316 |
125 |
|
|
2017-09-12 |
2018-10-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array. |
|
9 |
CVE-2017-12137 |
264 |
|
+Priv |
2017-08-24 |
2018-01-15 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref. |
|
10 |
CVE-2017-12134 |
264 |
|
DoS +Priv +Info |
2017-08-24 |
2018-05-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation. |
|
11 |
CVE-2017-10913 |
264 |
|
+Priv +Info |
2017-07-04 |
2017-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The grant-table feature in Xen through 4.8.x provides false mapping information in certain cases of concurrent unmap calls, which allows backend attackers to obtain sensitive information or gain privileges, aka XSA-218 bug 1. |
|
12 |
CVE-2017-8903 |
264 |
|
Exec Code |
2017-05-11 |
2017-07-10 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hypercall, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-213. |
|
13 |
CVE-2017-7228 |
284 |
|
|
2017-04-04 |
2017-11-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. |
|
14 |
CVE-2016-9383 |
20 |
|
DoS Exec Code +Info |
2017-01-23 |
2017-06-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions. |
|
15 |
CVE-2016-7154 |
416 |
|
DoS Exec Code +Info |
2016-09-21 |
2017-04-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number. |
|
16 |
CVE-2016-7093 |
264 |
|
+Priv |
2016-09-21 |
2017-06-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation. |
|
17 |
CVE-2016-6258 |
284 |
|
+Priv |
2016-08-02 |
2017-06-30 |
7.2 |
User |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries. |
|
18 |
CVE-2016-4480 |
264 |
|
+Priv |
2016-05-18 |
2016-11-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory. |
|
19 |
CVE-2016-3960 |
264 |
|
DoS Overflow +Priv |
2016-04-19 |
2016-12-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. |
|
20 |
CVE-2016-3157 |
264 |
|
DoS +Priv +Info |
2016-04-12 |
2016-12-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access. |
|
21 |
CVE-2015-8341 |
399 |
|
DoS |
2015-12-17 |
2017-06-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains. |
|
22 |
CVE-2015-8338 |
254 |
|
DoS |
2015-12-17 |
2016-12-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Xen 4.6.x and earlier does not properly enforce limits on page order inputs for the (1) XENMEM_increase_reservation, (2) XENMEM_populate_physmap, (3) XENMEM_exchange, and possibly other HYPERVISOR_memory_op suboperations, which allows ARM guest OS administrators to cause a denial of service (CPU consumption, guest reboot, or watchdog timeout and host reboot) and possibly have unspecified other impact via unknown vectors. |
|
23 |
CVE-2015-7835 |
20 |
|
+Priv |
2015-10-30 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. |
|
24 |
CVE-2015-5166 |
264 |
|
+Priv |
2015-08-12 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice. |
|
25 |
CVE-2015-5154 |
119 |
|
Exec Code Overflow |
2015-08-12 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. |
|
26 |
CVE-2015-4104 |
264 |
|
DoS |
2015-06-03 |
2017-11-14 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors. |
|
27 |
CVE-2015-3456 |
119 |
|
DoS Exec Code Overflow |
2015-05-13 |
2018-10-30 |
7.7 |
None |
Local Network |
Low |
Single system |
Complete |
Complete |
Complete |
|
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. |
|
28 |
CVE-2015-3209 |
119 |
|
Exec Code Overflow |
2015-06-15 |
2018-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. |
|
29 |
CVE-2015-2751 |
17 |
|
DoS |
2015-04-01 |
2018-10-30 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. |
|
30 |
CVE-2015-2151 |
264 |
|
DoS Exec Code Mem. Corr. +Info |
2015-03-12 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors. |
|
31 |
CVE-2015-0361 |
|
|
DoS |
2015-01-07 |
2018-10-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown. |
|
32 |
CVE-2014-9030 |
20 |
|
DoS |
2014-11-24 |
2018-10-30 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. |
|
33 |
CVE-2014-3969 |
264 |
|
+Priv |
2014-06-05 |
2018-10-30 |
7.4 |
None |
Local Network |
Medium |
Single system |
Complete |
Complete |
Complete |
|
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors. |
|
34 |
CVE-2013-6375 |
264 |
|
DoS +Priv |
2013-11-23 |
2018-10-30 |
7.9 |
None |
Local Network |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an "inverted boolean parameter." |
|
35 |
CVE-2013-2211 |
264 |
|
|
2013-08-28 |
2014-12-11 |
7.4 |
None |
Local Network |
Medium |
Single system |
Complete |
Complete |
Complete |
|
The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors. |
|
36 |
CVE-2013-2072 |
119 |
|
DoS Overflow +Priv Mem. Corr. |
2013-08-28 |
2016-12-30 |
7.4 |
None |
Local Network |
Medium |
Single system |
Complete |
Complete |
Complete |
|
Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap. |
|
37 |
CVE-2013-1432 |
399 |
|
DoS +Priv |
2013-08-28 |
2017-06-29 |
7.4 |
None |
Local Network |
Medium |
Single system |
Complete |
Complete |
Complete |
|
Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possibly gain privileges via unspecified vectors. |
|
38 |
CVE-2012-6030 |
20 |
|
DoS |
2012-11-23 |
2017-08-28 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
39 |
CVE-2012-3515 |
20 |
|
+Priv |
2012-11-23 |
2017-06-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." |
|
40 |
CVE-2012-0217 |
119 |
|
Overflow +Priv |
2012-06-12 |
2018-10-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier. |
|
41 |
CVE-2011-1763 |
|
|
DoS +Priv |
2014-01-07 |
2015-09-03 |
7.7 |
None |
Local Network |
Low |
Single system |
Complete |
Complete |
Complete |
|
The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges via unspecified vectors involving a new event channel port. |
|
42 |
CVE-2009-3525 |
264 |
|
|
2009-10-05 |
2017-09-18 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password. |
