# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2019-17347 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels). |
2 |
CVE-2019-17340 |
20 |
|
DoS +Priv |
2019-10-07 |
2019-10-10 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled. |
3 |
CVE-2017-15596 |
400 |
|
DoS |
2017-10-18 |
2017-11-03 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error. |
4 |
CVE-2017-14431 |
772 |
|
DoS |
2017-09-13 |
2019-10-02 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207. |
5 |
CVE-2016-9932 |
200 |
|
+Info |
2017-01-26 |
2017-11-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix. |
6 |
CVE-2016-9385 |
20 |
|
DoS |
2017-01-23 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks. |
7 |
CVE-2016-9382 |
264 |
|
DoS +Priv |
2017-01-23 |
2017-06-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode. |
8 |
CVE-2016-7154 |
416 |
|
DoS Exec Code +Info |
2016-09-21 |
2017-04-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number. |
9 |
CVE-2016-6258 |
284 |
|
+Priv |
2016-08-02 |
2017-06-30 |
7.2 |
User |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries. |
10 |
CVE-2016-5242 |
|
|
DoS |
2016-06-07 |
2016-11-28 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (NULL pointer dereference and host OS crash) by creating concurrent domains and holding references to them, related to VMID exhaustion. |
11 |
CVE-2016-4963 |
284 |
|
DoS |
2016-06-07 |
2018-09-07 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore. |
12 |
CVE-2016-4962 |
264 |
|
DoS +Priv |
2016-06-07 |
2016-11-28 |
6.8 |
None |
Local |
Low |
Single system |
Complete |
Complete |
Complete |
The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore. |
13 |
CVE-2016-1571 |
17 |
|
DoS |
2016-01-22 |
2018-10-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. |
14 |
CVE-2016-1570 |
20 |
|
DoS +Priv +Info |
2016-01-22 |
2018-10-30 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates. |
15 |
CVE-2015-8555 |
200 |
|
+Info |
2016-04-13 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. |
16 |
CVE-2015-8341 |
399 |
|
DoS |
2015-12-17 |
2017-06-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains. |
17 |
CVE-2015-8340 |
17 |
|
DoS |
2015-12-17 |
2017-06-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. |
18 |
CVE-2015-8339 |
19 |
|
DoS |
2015-12-17 |
2017-06-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. |
19 |
CVE-2015-8104 |
399 |
|
DoS |
2015-11-16 |
2017-05-23 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. |
20 |
CVE-2015-5307 |
399 |
|
DoS |
2015-11-16 |
2017-05-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. |
21 |
CVE-2015-3340 |
200 |
|
+Info |
2015-04-28 |
2018-10-30 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. |
22 |
CVE-2015-3259 |
264 |
|
Overflow +Priv |
2015-07-16 |
2018-10-30 |
6.8 |
None |
Local |
Low |
Single system |
Complete |
Complete |
Complete |
Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument. |
23 |
CVE-2015-1563 |
399 |
|
DoS |
2015-02-09 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged. |
24 |
CVE-2015-0361 |
|
|
DoS |
2015-01-07 |
2018-10-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown. |
25 |
CVE-2014-9066 |
17 |
|
DoS |
2014-12-09 |
2018-10-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065. |
26 |
CVE-2014-9065 |
17 |
|
DoS |
2014-12-09 |
2018-10-30 |
4.4 |
None |
Local |
Medium |
Single system |
None |
None |
Complete |
common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066. |
27 |
CVE-2014-9030 |
20 |
|
DoS |
2014-11-24 |
2018-10-30 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. |
28 |
CVE-2014-8867 |
17 |
|
DoS |
2014-12-01 |
2018-10-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. |
29 |
CVE-2014-6268 |
399 |
|
DoS |
2015-01-12 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU. |