An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.
Max CVSS
5.6
EPSS Score
0.06%
Published
2018-12-08
Updated
2019-10-03
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
Max CVSS
7.8
EPSS Score
0.06%
Published
2018-12-08
Updated
2019-10-03
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
Max CVSS
7.8
EPSS Score
0.06%
Published
2018-12-08
Updated
2019-10-03
Citrix XenServer 7.1 and newer allows Directory Traversal.
Max CVSS
10.0
EPSS Score
3.28%
Published
2018-08-15
Updated
2018-10-23

CVE-2018-8897

Public exploit
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
Max CVSS
7.8
EPSS Score
0.07%
Published
2018-05-08
Updated
2019-10-03
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.
Max CVSS
5.6
EPSS Score
0.08%
Published
2018-06-21
Updated
2021-06-09
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
Max CVSS
8.8
EPSS Score
0.06%
Published
2017-08-24
Updated
2019-10-03
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.
Max CVSS
7.8
EPSS Score
0.06%
Published
2017-08-24
Updated
2019-05-06
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.
Max CVSS
8.8
EPSS Score
0.06%
Published
2017-08-24
Updated
2020-04-14
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.
Max CVSS
8.8
EPSS Score
0.06%
Published
2017-08-24
Updated
2019-10-03
An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can corrupt the host database.
Max CVSS
6.5
EPSS Score
0.12%
Published
2017-01-30
Updated
2019-10-03
Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.
Max CVSS
9.9
EPSS Score
0.15%
Published
2018-07-27
Updated
2021-08-04
Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.
Max CVSS
9.1
EPSS Score
0.15%
Published
2018-07-03
Updated
2023-02-12
VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check.
Max CVSS
5.5
EPSS Score
0.06%
Published
2017-01-26
Updated
2017-01-27
Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.
Max CVSS
6.0
EPSS Score
0.06%
Published
2017-01-26
Updated
2017-11-04
The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.
Max CVSS
7.5
EPSS Score
0.06%
Published
2017-02-17
Updated
2018-02-08
A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
Max CVSS
9.9
EPSS Score
0.14%
Published
2018-07-27
Updated
2021-08-04
The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values.
Max CVSS
7.8
EPSS Score
0.06%
Published
2017-01-23
Updated
2017-07-01
The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks.
Max CVSS
6.0
EPSS Score
0.06%
Published
2017-01-23
Updated
2017-07-01
Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-01-23
Updated
2017-07-01
Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode.
Max CVSS
7.8
EPSS Score
0.06%
Published
2017-01-23
Updated
2017-07-01
Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.
Max CVSS
7.5
EPSS Score
0.06%
Published
2017-01-23
Updated
2020-10-23
The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file.
Max CVSS
7.5
EPSS Score
0.06%
Published
2017-01-23
Updated
2017-07-01
The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file.
Max CVSS
7.9
EPSS Score
0.06%
Published
2017-01-23
Updated
2017-07-01
Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check.
Max CVSS
6.2
EPSS Score
0.18%
Published
2016-08-02
Updated
2016-08-04
41 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!