CVE-2022-42319 — Missing Release of Memory after Effective Lifetime in XEN

CWE-401 — Missing Release of Memory after Effective Lifetime4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 91.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedNov 1

Description

Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shorta…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

▶debiandebian/xen< xen 4.16.2+90-g0d39a6d1ae-1 (bookworm)

▶Debianxen/xen< 4.14.5+86-g1c354767d5-1+3

▶NVDxen/xen

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xenproject.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-jxpc-fxw3-65cc: Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large am↗2022-11-01

▶

OSV

CVE-2022-42319: Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large am↗2022-11-01

▶

📋Vendor Advisories

Debian

CVE-2022-42319: xen - Xenstore: Guests can cause Xenstore to not free temporary memory When working on...↗2022

▶