CVE-2014-9066 — Improper Locking in XEN

CWE-667 — Improper Locking CWE-1710 documents5 sources

Severity

4.7MEDIUMNVD

NVD4.4OSV4.4

EPSS

0.1%

top 70.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Opensuse

Timeline

PublishedDec 9

Latest updateMay 14

Description

Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065.

CVSS vector

AV:L/AC:M/C:N/I:N/A:CExploitability: 3.4 | Impact: 6.9

Affected Packages4 packages

▶debiandebian/xen< xen 4.4.1-6 (bookworm)+1

▶Debianxen/xen< 4.4.1-6+3

▶NVDxen/xen4.4.1

▶NVDopensuse/opensuse13.1, 13.2+1

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-4f7c-f5r2-23hx: Xen 4↗2022-05-14

▶

GHSA

GHSA-gq6c-wcjg-9p8q: common/spinlock↗2022-05-14

▶

OSV

CVE-2014-9065: common/spinlock↗2014-12-09

▶

OSV

CVE-2014-9066: Xen 4↗2014-12-09

▶

📋Vendor Advisories

Red Hat

xen: p2m lock starvation (xsa114)↗2014-12-08

▶

Red Hat

xen: p2m lock starvation (xsa114)↗2014-12-08

▶

Debian

CVE-2014-9066: xen - Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly han...↗2014

▶

Debian

CVE-2014-9065: xen - common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and wri...↗2014

▶