CVE-2020-25599Improper Restriction of Operations within the Bounds of a Memory Buffer in XEN

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-362Race ConditionCWE-440Expected Behavior ViolationCWE-125Out-of-bounds ReadCWE-787Out-of-bounds Write9 documents8 sources
Severity
7.0HIGHNVD
EPSS
0.1%
top 77.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
XENDebian LinuxFedoraproject Fedora+1 more
Timeline
PublishedSep 23
Latest updateSep 19

Description

An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages3 packages

Debianxen/xen< 4.14.0+80-gd101b417b7-1+3
NVDxen/xen4.5.04.14.0
NVDopensuse/leap15.2

Also affects: Debian Linux 10.0, Fedora 31, 32, 33

Patches

Patch: xenbits.xen.orgPatch: xenbits.xen.org

🔴Vulnerability Details

3
GHSA
GHSA-565v-439w-r6r9: An issue was discovered in Xen through 42022-05-24
CVEList
CVE-2020-25599: An issue was discovered in Xen through 42020-09-23
OSV
CVE-2020-25599: An issue was discovered in Xen through 42020-09-23

📋Vendor Advisories

3
Ubuntu
Xen vulnerabilities2022-09-19
Red Hat
xen: races with evtchn_reset function (XSA-343)2020-09-22
Debian
CVE-2020-25599: xen - An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race con...2020

💬Community

2
Bugzilla
CVE-2020-25599 xen: races with evtchn_reset function (XSA-343) [fedora-all]2020-09-22
Bugzilla
CVE-2020-25599 xen: races with evtchn_reset function (XSA-343)2020-09-16
CVE-2020-25599 — XEN vulnerability | cvebase