CVE-2021-28701Race Condition in XEN

CWE-362Race ConditionCWE-269Improper Privilege Management4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 81.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
XENDebian XENDebian Linux+1 more
Timeline
PublishedSep 8
Latest updateMay 24

Description

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing gues

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.1 | Impact: 6.0

Affected Packages4 packages

CVEListV5xen/xen4.15.xunspecified+2
debiandebian/xen< xen 4.14.3-1 (bookworm)
Debianxen/xen< 4.14.3-1~deb11u1+3
NVDxen/xen

Also affects: Debian Linux 11.0, Fedora 33, 34, 35

🔴Vulnerability Details

2
GHSA
GHSA-423x-f92f-r5fm: Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory2022-05-24
OSV
CVE-2021-28701: Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory2021-09-08

📋Vendor Advisories

1
Debian
CVE-2021-28701: xen - Another race in XENMAPSPACE_grant_table handling Guests are permitted access to ...2021