CVE-2017-14431Missing Release of Resource after Effective Lifetime in XEN

CWE-772Missing Release of Resource after Effective Lifetime7 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 67.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
XENDebian XEN
Timeline
PublishedSep 13
Latest updateMay 13

Description

Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

debiandebian/xen< xen 4.8.1-1 (bookworm)
Debianxen/xen< 4.8.1-1+3
NVDxen/xen50 versions+49

Patches

Patch: xenbits.xen.orgPatch: xenbits.xen.org

🔴Vulnerability Details

2
GHSA
GHSA-5c92-xf29-3c94: Memory leak in Xen 32022-05-13
OSV
CVE-2017-14431: Memory leak in Xen 32017-09-13

📋Vendor Advisories

2
Red Hat
xen: memory leak when destroying guest without PT devices (XSA-207)2017-02-15
Debian
CVE-2017-14431: xen - Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of ...2017

💬Community

2
Bugzilla
CVE-2017-14431 xsa207 xen: memory leak when destroying guest without PT devices (XSA-207) [fedora-all]2017-02-15
Bugzilla
CVE-2017-14431 xsa207 xen: memory leak when destroying guest without PT devices (XSA-207)2017-02-01