CVE-2022-33747 — Improper Resource Shutdown or Release in XEN

CWE-404 — Improper Resource Shutdown or Release CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

3.8LOWNVD

EPSS

0.0%

top 91.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedOct 11

Description

Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipula…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:LExploitability: 2.0 | Impact: 1.4

Affected Packages2 packages

▶debiandebian/xen< xen 4.16.2+90-g0d39a6d1ae-1 (bookworm)

▶Debianxen/xen< 4.14.5+86-g1c354767d5-1+3

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: www.openwall.com ↗Patch: xenbits.xen.org ↗Patch: xenbits.xenproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-wp5g-757j-v342: Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e↗2022-10-11

▶

OSV

CVE-2022-33747: Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e↗2022-10-11

▶

📋Vendor Advisories

Debian

CVE-2022-33747: xen - Arm: unbounded memory consumption for 2nd-level page tables Certain actions requ...↗2022

▶