Severe I/O Misconfiguration Vulnerability in Linux Kernel's Xen Virtualization
CVE-2021-28039

6.5MEDIUM

Key Information:

Vendor: Xen Project
Status: Xen; Linux Kernel
Vendor: CVE Published:; 5 March 2021

What is CVE-2021-28039?

A significant vulnerability has been identified in the Linux kernel versions 5.9.x through 5.11.3, specifically in configurations using Xen virtualization. This issue allows an x86 paravirtual (PV) guest operating system user to potentially crash the Dom0 or driver domain by executing a large volume of I/O operations. The vulnerability arises from incorrect handling of guest physical addresses, particularly in scenarios where CONFIG_XEN_UNPOPULATED_ALLOC is enabled while CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not. This may lead to system instability affecting host and guest environments.

References

http://xenbits.xen.org/xsa/advisory-369.html

http://www.openwall.com/lists/oss-security/2021/03/05/2

mailing-list

https://security.netapp.com/advisory/ntap-20210409-0001/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 5, 2021
Vulnerability Reserved
Mar 5, 2021

Xen Project

What is CVE-2021-28039?

References

CVSS V3.1

Timeline