Race Condition Vulnerabilities in Linux PV Device Frontends Affecting Xen Project
CVE-2022-23040

7HIGH

Key Information:

Vendor: Unspecified
Status: Unspecified
Vendor: CVE Published:; 10 March 2022

🔔 Create Unspecified Vulnerability Alert

What is CVE-2022-23040?

Linux PV device frontends, including blkfront, netfront, scsifront, and gntalloc, exhibit vulnerabilities due to improper grant table interface management. These vulnerabilities lead to potential data leaks and data corruption caused by malicious backends leveraging race conditions. The systems fail to adequately check the usage of grant references during operations, allowing backends to retain access to memory pages even after front-end I/O processes are complete. This scenario poses risks of Denial of Service (DoS) triggered by backend interactions, affecting system stability and data integrity.

Affected Version(s)

unspecified consult Xen advisory XSA-396

References

https://xenbits.xenproject.org/xsa/advisory-396.txt

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2022/07/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2022
Vulnerability Reserved
Jan 10, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab.'}]}}}

CVE-2022-23040 Data

JSON