CVE-2021-28692Improper Privilege Management in XEN

CWE-269Improper Privilege Management4 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 89.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
XENDebian XEN
Timeline
PublishedJun 30
Latest updateMay 24

Description

inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actual

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages4 packages

debiandebian/xen< xen 4.14.2+25-gb6a8c4f72d-1 (bookworm)
Debianxen/xen< 4.14.2+25-gb6a8c4f72d-1+3
CVEListV5xen/xen6 versions+5
NVDxen/xen

🔴Vulnerability Details

2
GHSA
GHSA-23j5-p74r-rvqm: inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such2022-05-24
OSV
CVE-2021-28692: inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such2021-06-30

📋Vendor Advisories

1
Debian
CVE-2021-28692: xen - inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands iss...2021