| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-14431 |
772 |
|
DoS |
2017-09-13 |
2019-10-03 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207. |
|
2 |
CVE-2016-9932 |
200 |
|
+Info |
2017-01-26 |
2017-11-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix. |
|
3 |
CVE-2016-6258 |
284 |
|
+Priv |
2016-08-02 |
2017-07-01 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries. |
|
4 |
CVE-2016-1571 |
17 |
|
DoS |
2016-01-22 |
2018-10-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. |
|
5 |
CVE-2015-8552 |
20 |
|
DoS |
2016-04-13 |
2017-11-04 |
1.7 |
None |
Local |
Low |
??? |
None |
None |
Partial |
|
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks." |
|
6 |
CVE-2015-8340 |
17 |
|
DoS |
2015-12-17 |
2017-07-01 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. |
|
7 |
CVE-2015-8339 |
19 |
|
DoS |
2015-12-17 |
2017-07-01 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. |
|
8 |
CVE-2015-7972 |
399 |
|
DoS |
2015-10-30 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure." |
|
9 |
CVE-2015-7971 |
19 |
|
DoS |
2015-10-30 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. |
|
10 |
CVE-2015-7970 |
399 |
|
DoS |
2015-10-30 |
2017-07-01 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand. |
|
11 |
CVE-2015-7835 |
264 |
|
+Priv |
2015-10-30 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. |
|
12 |
CVE-2015-4164 |
399 |
|
DoS |
2015-06-15 |
2018-10-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set. |
|
13 |
CVE-2015-4105 |
399 |
|
DoS |
2015-06-03 |
2017-11-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations. |
|
14 |
CVE-2015-4104 |
264 |
|
DoS |
2015-06-03 |
2017-11-15 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors. |
|
15 |
CVE-2015-4103 |
264 |
|
DoS |
2015-06-03 |
2017-11-15 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields. |
|
16 |
CVE-2015-2151 |
264 |
|
DoS Exec Code Mem. Corr. +Info |
2015-03-12 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors. |
|
17 |
CVE-2015-2150 |
264 |
|
DoS |
2015-03-12 |
2018-10-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. |
|
18 |
CVE-2015-2045 |
200 |
|
+Info |
2015-03-12 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. |
|
19 |
CVE-2015-2044 |
200 |
|
+Info |
2015-03-12 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. |
|
20 |
CVE-2014-9030 |
20 |
|
DoS |
2014-11-24 |
2018-10-30 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. |
|
21 |
CVE-2014-8866 |
17 |
|
DoS |
2014-12-01 |
2018-10-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode. |
|
22 |
CVE-2014-8595 |
17 |
|
DoS +Priv |
2014-11-19 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. |
|
23 |
CVE-2014-7155 |
264 |
|
DoS +Priv |
2014-10-02 |
2018-10-30 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. |
|
24 |
CVE-2014-1893 |
189 |
|
DoS Overflow |
2014-04-01 |
2017-01-07 |
5.2 |
None |
Local Network |
Medium |
??? |
None |
None |
Complete |
|
Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1894. |
|
25 |
CVE-2014-1892 |
119 |
|
DoS Overflow |
2014-04-01 |
2017-01-07 |
5.2 |
None |
Local Network |
Medium |
??? |
None |
None |
Complete |
|
Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory allocation," a different vulnerability than CVE-2014-1891, CVE-2014-1893, and CVE-2014-1894. |
|
26 |
CVE-2014-1891 |
189 |
|
DoS Overflow |
2014-04-01 |
2017-01-07 |
5.2 |
None |
Local Network |
Medium |
??? |
None |
None |
Complete |
|
Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3) FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations in the flask hypercall in Xen 4.3.x, 4.2.x, 4.1.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1892, CVE-2014-1893, and CVE-2014-1894. |
|
27 |
CVE-2013-4554 |
264 |
|
+Priv |
2013-12-24 |
2017-01-07 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. |
|
28 |
CVE-2013-4553 |
119 |
|
DoS Overflow |
2013-12-24 |
2017-01-07 |
5.2 |
None |
Local Network |
Medium |
??? |
None |
None |
Complete |
|
The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). |
|
29 |
CVE-2013-4368 |
200 |
|
+Info |
2013-10-17 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. |
|
30 |
CVE-2013-4361 |
200 |
|
+Info |
2013-10-01 |
2017-01-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. |
|
31 |
CVE-2013-4355 |
200 |
|
+Info |
2013-10-01 |
2017-01-07 |
1.5 |
None |
Local |
Medium |
??? |
Partial |
None |
None |
|
Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. |
|
32 |
CVE-2013-3495 |
264 |
|
DoS |
2013-08-28 |
2018-10-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x allows local guests to cause a denial of service (kernel panic) via a malformed Message Signaled Interrupt (MSI) from a PCI device that is bus mastering capable that triggers a System Error Reporting (SERR) Non-Maskable Interrupt (NMI). |
|
33 |
CVE-2013-2212 |
119 |
|
DoS Overflow |
2013-08-28 |
2016-12-22 |
5.7 |
None |
Local Network |
Medium |
Not required |
None |
None |
Complete |
|
The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. |
|
34 |
CVE-2013-1920 |
264 |
|
+Priv |
2013-04-12 |
2017-08-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. |
|
35 |
CVE-2013-1917 |
20 |
|
DoS |
2013-05-13 |
2014-04-19 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. |
|
36 |
CVE-2012-6333 |
399 |
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input. |
|
37 |
CVE-2012-5515 |
|
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. |
|
38 |
CVE-2012-5514 |
|
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. |
|
39 |
CVE-2012-5513 |
20 |
|
DoS +Priv |
2012-12-13 |
2017-08-29 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. |
|
40 |
CVE-2012-5511 |
119 |
|
DoS Overflow |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image. |
|
41 |
CVE-2012-4537 |
16 |
|
DoS |
2012-11-21 |
2017-08-29 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability." |
|
42 |
CVE-2012-4535 |
399 |
|
DoS |
2012-11-21 |
2017-08-29 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate deadline." |
|
43 |
CVE-2011-1166 |
20 |
|
DoS |
2014-01-07 |
2015-10-06 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables. |
