CVE-2022-42321 — Uncontrolled Recursion in XEN

CWE-674 — Uncontrolled Recursion4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 89.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedNov 1

Description

Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 2.0 | Impact: 4.0

Affected Packages2 packages

▶debiandebian/xen< xen 4.16.2+90-g0d39a6d1ae-1 (bookworm)

▶Debianxen/xen< 4.14.5+86-g1c354767d5-1+3

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xenproject.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-fwfg-5hqv-4r78: Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e↗2022-11-01

▶

OSV

CVE-2022-42321: Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e↗2022-11-01

▶

📋Vendor Advisories

Debian

CVE-2022-42321: xen - Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using...↗2022

▶