Race Condition Vulnerability in Linux PV Device Frontends by Xen Project
CVE-2022-23041

7HIGH

Key Information:

Vendor: Unspecified
Status: Unspecified
Vendor: CVE Published:; 10 March 2022

🔔 Create Unspecified Vulnerability Alert

What is CVE-2022-23041?

Linux PV device frontends are susceptible to attacks due to improper handling of access rights by backends, leading to race condition vulnerabilities. In mechanisms involving grant table interfaces, multiple frontends like blkfront, netfront, scsifront, and gntalloc fail to adequately verify if a grant reference is still in use during access removal operations. This oversight allows malicious backends to retain access to guest memory pages beyond their intended lifecycle, resulting in possible data leaks, corruption, and triggering denial of service (DoS) conditions. The xenbus driver shares similar vulnerabilities, primarily associated with shared ring buffer access management. These issues necessitate immediate attention to secure affected systems against exploitation.

Affected Version(s)

unspecified consult Xen advisory XSA-396

References

https://xenbits.xenproject.org/xsa/advisory-396.txt

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2022/07/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2022
Vulnerability Reserved
Jan 10, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab.'}]}}}

JSON