CVE-2013-1442 — Sensitive Information Exposure in XEN

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

1.2LOWNVD

EPSS

0.1%

top 70.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN

Timeline

PublishedSep 30

Latest updateMay 17

Description

Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers.

CVSS vector

AV:L/AC:H/C:P/I:N/A:NExploitability: 1.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/xen< xen 4.4.0-1 (bookworm)

▶Debianxen/xen< 4.4.0-1+3

▶NVDxen/xen16 versions+15

🔴Vulnerability Details

GHSA

GHSA-pq8f-m2fp-4jv5: Xen 4↗2022-05-17

▶

OSV

CVE-2013-1442: Xen 4↗2013-09-30

▶

Kernel

HID: zeroplus: validate output report details↗2013-09-11

▶

📋Vendor Advisories

Red Hat

kernel: xen: information leak on AVX and/or LWP capable CPUs↗2013-09-24

▶

Debian

CVE-2013-1442: xen - Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly cle...↗2013

▶

💬Community

Bugzilla

CVE-2013-1442 kernel: xen: information leak on AVX and/or LWP capable CPUs [fedora-all]↗2013-09-25

▶

Bugzilla

CVE-2013-1442 kernel: xen: information leak on AVX and/or LWP capable CPUs↗2013-09-10

▶