Data Leak Vulnerability in Linux Block and Network PV Device Frontends
CVE-2022-26365

7.1HIGH

Key Information:

Vendor: Linux
Status: Linux; Xen
Vendor: CVE Published:; 5 July 2022

Summary

The Linux Block and Network PV device frontends are exposed to a data leak vulnerability that allows memory regions to be shared without being properly zeroed. This lack of memory sanitation can lead to unrelated data existing in the same memory page, potentially making sensitive information accessible through backend requests. The vulnerability arises due to granularity restrictions within the grant table, which necessitates the sharing of data in 4K page increments, further compounding the risk of unintended data exposure.

Affected Version(s)

Linux consult Xen advisory XSA-403

xen consult Xen advisory XSA-403

References

https://xenbits.xenproject.org/xsa/advisory-403.txt

x_refsource_MISC

http://xenbits.xen.org/xsa/advisory-403.html

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/05/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 5, 2022
Vulnerability Reserved
Mar 2, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'The issue related to not zeroing memory areas used for shared communications\nwas discovered by Roger Pau Monné of Citrix.\n\nThe issue related to leaking contiguous data in granted pages was disclosed\npublicly.'}]}}}