Memory Management Issues in Xen Hypervisor Affecting Virtual Guests
CVE-2021-28709

7.8HIGH

Key Information:

Vendor

Xen Project
Status
Xen
Vendor
CVE Published:
24 November 2021

What is CVE-2021-28709?

The Xen Hypervisor has a memory management vulnerability affecting x86 HVM and PVH guests that operate in populate-on-demand (PoD) mode. The flaw arises due to insufficient error handling during partially successful page-to-memory (P2M) updates. Specifically, a hypercall feature allows guests to manipulate P2M aspects of individual memory pages, which can lead to unaccounted partial success in certain memory operations. This presents a potential risk as it could enable unauthorized memory access or manipulation of virtual resources. A patch addressing this issue has been released to rectify the complications stemming from page removal and insertion processes.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

xen 4.14.x

xen 4.12.x

xen 4.15.x

References

https://xenbits.xenproject.org/xsa/advisory-389.txt
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://www.debian.org/security/2021/dsa-5017
vendor-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Jan Beulich of SUSE.'}]}}}
JSON
.