Arbitrary Node Creation Vulnerability in Xenstore by Xen Project
CVE-2022-42326

5.5MEDIUM

Key Information:

Vendor: Xen Project
Status: Xen Project
Vendor: CVE Published:; 1 November 2022

What is CVE-2022-42326?

Xenstore has a vulnerability allowing malicious guests to create an arbitrary number of nodes via transactions. If a node is created and later deleted within the same transaction, an error occurs only upon finalizing the deletion, resulting in partial transaction completion without proper accounting updates. This exploit can lead to resource exhaustion and potential unauthorized access, impacting the stability and security of Xen-based systems.

Affected Version(s)

xen consult Xen advisory XSA-421

References

https://xenbits.xenproject.org/xsa/advisory-421.txt

http://xenbits.xen.org/xsa/advisory-421.html

http://www.openwall.com/lists/oss-security/2022/11/01/11

mailing-list

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 1, 2022
Vulnerability Reserved
Oct 3, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Julien Grall of Amazon.'}]}}}