CVE-2020-29570 — Allocation of Resources Without Limits or Throttling in XEN

CWE-770 — Allocation of Resources Without Limits or Throttling4 documents4 sources

Severity

6.2MEDIUMNVD

EPSS

0.1%

top 81.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedDec 15

Latest updateMay 24

Description

An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/xen< xen 4.14.0+88-g1d1d1f5391-1 (bookworm)

▶Debianxen/xen< 4.14.0+88-g1d1d1f5391-1+3

▶NVDxen/xen4.4.0 — 4.14.0

Also affects: Debian Linux 10.0, Fedora 32, 33

Patches

Patch: xenbits.xenproject.org ↗Patch: xenbits.xenproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-rqmv-893j-49p8: An issue was discovered in Xen through 4↗2022-05-24

▶

OSV

CVE-2020-29570: An issue was discovered in Xen through 4↗2020-12-15

▶

📋Vendor Advisories

Debian

CVE-2020-29570: xen - An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control...↗2020

▶