Data Leak Vulnerability in Linux Disk and NIC Frontends by Xen Project
CVE-2022-33742

7.1HIGH

Key Information:

Vendor: Linux
Status: Linux; Xen
Vendor: CVE Published:; 5 July 2022

Summary

This vulnerability affects Xen Project's Linux disk and NIC frontends, which fail to properly zero memory regions before exposing them to the backend. This oversight allows data from unrelated memory areas to remain accessible within the same 4K page shared with a backend, leading to potential unauthorized data exposure. Users of affected versions are advised to review security patches and take necessary measures to mitigate risks associated with this vulnerability.

Affected Version(s)

Linux consult Xen advisory XSA-403

xen consult Xen advisory XSA-403

References

https://xenbits.xenproject.org/xsa/advisory-403.txt

x_refsource_MISC

http://xenbits.xen.org/xsa/advisory-403.html

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/05/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 5, 2022
Vulnerability Reserved
Jun 15, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'The issue related to not zeroing memory areas used for shared communications\nwas discovered by Roger Pau Monné of Citrix.\n\nThe issue related to leaking contiguous data in granted pages was disclosed\npublicly.'}]}}}