Vulnerability CVE-2022-26356

Vulnerability Name:

CVE-2022-26356 (CCN-223408)

Assigned:

2022-04-05

Published:

2022-04-05

Updated:

2022-07-29

Summary:

Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.

CVSS v3 Severity:

5.6 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H)
4.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:L/AC:H/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-772

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2022-26356

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20220405 Xen Security Advisory 397 v2 (CVE-2022-26356) - Racy interactions between dirty vram tracking and paging log dirty hypercalls

Source: CCN
Type: Xen Security Advisory XSA-397
Racy interactions between dirty vram tracking and paging log dirty hypercalls

Source: CONFIRM
Type: Patch, Third Party Advisory
http://xenbits.xen.org/xsa/advisory-397.html

Source: XF
Type: UNKNOWN
xen-cve202226356-dos(223408)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-64b2c02d29

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-dfbf7e2372

Source: DEBIAN
Type: Third Party Advisory
DSA-5117

Source: MISC
Type: Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-397.txt

Vulnerable Configuration:

Configuration 1:

cpe:/o:xen:xen:*:*:*:*:*:*:x86:* (Version >= 4.15.0 and < 4.16.0)

OR cpe:/o:xen:xen:*:*:*:*:*:*:x86:* (Version >= 4.13.0 and < 4.14.0)

OR cpe:/o:xen:xen:*:*:*:*:*:*:x86:* (Version >= 4.0.0 and < 4.12.0)

Configuration 2:

cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:xensource:xen:4.0:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.1:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.2:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.5:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.6:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.7:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.8:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.9:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.10:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.11:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.12:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.13:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.14:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.12.3:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.12.4:*:*:*:*:*:*:*

OR cpe:/a:xensource:xen:4.13.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:3225	P	xen-libs-4.16.0_08-150400.2.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3535	P	xen-4.16.0_08-150400.2.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94855	P	xen-libs-4.16.0_08-150400.2.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95165	P	xen-4.16.0_08-150400.2.12 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:388	P	xen-libs-4.16.0_08-150400.2.12 on GA media (Moderate)	2022-06-10
oval:org.opensuse.security:def:42276	P	Security update for xen (Moderate)	2022-05-03
oval:org.opensuse.security:def:42375	P	Security update for xen (Moderate)	2022-05-03
oval:org.opensuse.security:def:876	P	Security update for xen (Moderate)	2022-05-03
oval:org.opensuse.security:def:1662	P	Security update for xen (Moderate)	2022-05-03
oval:org.opensuse.security:def:42176	P	Security update for xen (Important)	2022-04-22
oval:org.opensuse.security:def:101617	P	Security update for xen (Moderate) (in QA)	2022-04-07
oval:org.opensuse.security:def:102242	P	Security update for xen (Moderate) (in QA)	2022-04-07

BACK