CVE-2016-9378 — Improper Access Control in XEN

CWE-284 — Improper Access Control7 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 81.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN

Timeline

PublishedFeb 22

Latest updateMay 17

Description

Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/xen< xen 4.8.0-1 (bookworm)

▶Debianxen/xen< 4.8.0-1+3

▶NVDxen/xen11 versions+10

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-6gjw-cr66-wqrg: Xen 4↗2022-05-17

▶

OSV

CVE-2016-9378: Xen 4↗2017-02-22

▶

📋Vendor Advisories

Red Hat

xen: x86 software interrupt injection mis-handled (XSA-196)↗2016-11-22

▶

Debian

CVE-2016-9378: xen - Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating ...↗2016

▶

💬Community

Bugzilla

CVE-2016-9377 CVE-2016-9378 CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9384 CVE-2016-9385 CVE-2016-9386 xen: various flaws [fedora-all]↗2016-11-22

▶

Bugzilla

CVE-2016-9377 CVE-2016-9378 xsa196 xen: x86 software interrupt injection mis-handled (XSA-196)↗2016-11-08

▶