CVE-2021-28689Improper Removal of Sensitive Information Before Storage or Transfer in XEN

CWE-212Improper Removal of Sensitive Information Before Storage or TransferCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 75.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
XENDebian XEN
Timeline
PublishedJun 11
Latest updateMay 24

Description

x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approach, so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems, and the availability of explic

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

NVDxen/xen< 4.12.0
debiandebian/xen

🔴Vulnerability Details

2
GHSA
GHSA-45vh-fhgx-cr2p: x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 12022-05-24
OSV
CVE-2021-28689: x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 12021-06-11

📋Vendor Advisories

1
Debian
CVE-2021-28689: xen - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x8...2021