Race Condition Vulnerability in Linux PV Device Frontends by Xen Project
CVE-2022-23041

7HIGH

Key Information:

Vendor

Unspecified

Status
Unspecified
Vendor
CVE Published:
10 March 2022

What is CVE-2022-23041?

Linux PV device frontends are susceptible to attacks due to improper handling of access rights by backends, leading to race condition vulnerabilities. In mechanisms involving grant table interfaces, multiple frontends like blkfront, netfront, scsifront, and gntalloc fail to adequately verify if a grant reference is still in use during access removal operations. This oversight allows malicious backends to retain access to guest memory pages beyond their intended lifecycle, resulting in possible data leaks, corruption, and triggering denial of service (DoS) conditions. The xenbus driver shares similar vulnerabilities, primarily associated with shared ring buffer access management. These issues necessitate immediate attention to secure affected systems against exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

unspecified consult Xen advisory XSA-396

References

https://xenbits.xenproject.org/xsa/advisory-396.txt
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2022/07/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab.'}]}}}
JSON
.