CVE-2022-42326 — Missing Release of Memory after Effective Lifetime in XEN

CWE-401 — Missing Release of Memory after Effective Lifetime4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 88.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Debian XEN Debian Linux +1 more

Timeline

PublishedNov 1

Description

Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and wit…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/xen< xen 4.16.2+90-g0d39a6d1ae-1 (bookworm)

▶Debianxen/xen< 4.14.5+86-g1c354767d5-1+3

▶NVDxen/xen

Also affects: Debian Linux 11.0, Fedora 35, 36, 37

Patches

Patch: www.openwall.com ↗Patch: xenbits.xen.org ↗Patch: xenbits.xenproject.org ↗

🔴Vulnerability Details

OSV

CVE-2022-42326: Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which↗2022-11-01

▶

GHSA

GHSA-f5v3-qm6r-5p3w: Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which↗2022-11-01

▶

📋Vendor Advisories

Debian

CVE-2022-42326: xen - Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA...↗2022

▶