CVE-2012-4544 — Improper Input Validation in XEN

CWE-20 — Improper Input Validation7 documents6 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 74.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN

Timeline

PublishedOct 31

Latest updateMay 17

Description

The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.

CVSS vector

AV:L/AC:L/C:N/I:N/A:PExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/xen< xen 4.1.3-4 (bookworm)

▶Debianxen/xen< 4.1.3-4+3

▶NVDxen/xen4.2.0+4

🔴Vulnerability Details

GHSA

GHSA-5vgr-8hw2-wp3h: The PV domain builder in Xen 4↗2022-05-17

▶

OSV

CVE-2012-4544: The PV domain builder in Xen 4↗2012-10-31

▶

📋Vendor Advisories

Red Hat

xen: Xen domain builder Out-of-memory due to malicious kernel/ramdisk↗2012-10-26

▶

Debian

CVE-2012-4544: xen - The PV domain builder in Xen 4.2 and earlier does not validate the size of the k...↗2012

▶

💬Community

Bugzilla

CVE-2012-4544 xen: Xen domain builder Out-of-memory due to malicious kernel/ramdisk [fedora-all]↗2012-10-26

▶

Bugzilla

CVE-2012-4544 xen: Xen domain builder Out-of-memory due to malicious kernel/ramdisk↗2012-10-26

▶