CVE-2019-18423Off-by-one Error in XEN

CWE-193Off-by-one ErrorCWE-20Improper Input Validation7 documents6 sources
Severity
8.8HIGHNVD
EPSS
5.2%
top 10.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
XENDebian XENDebian Linux+1 more
Timeline
PublishedOct 31
Latest updateMay 24

Description

An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

debiandebian/xen< xen 4.11.3+24-g14b62ab3e5-1 (bookworm)
Debianxen/xen< 4.11.3+24-g14b62ab3e5-1+3
NVDxen/xen4.84.12.1

Also affects: Debian Linux 10.0, 9.0, Fedora 29, 30, 31

Patches

Patch: www.openwall.comPatch: xenbits.xen.orgPatch: www.openwall.com

🔴Vulnerability Details

2
GHSA
GHSA-jvp4-26qw-rfm7: An issue was discovered in Xen through 42022-05-24
OSV
CVE-2019-18423: An issue was discovered in Xen through 42019-10-31

📋Vendor Advisories

2
Red Hat
xen: add-to-physmap can be abused to DoS Arm hosts2019-10-31
Debian
CVE-2019-18423: xen - An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cau...2019

💬Community

2
Bugzilla
CVE-2019-18423 xen: add-to-physmap can be abused to DoS Arm hosts [fedora-all]2019-11-12
Bugzilla
CVE-2019-18423 xen: add-to-physmap can be abused to DoS Arm hosts2019-11-12