gsd-2022-26357
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2022-26357",
    "description": "race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.",
    "id": "GSD-2022-26357",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-26357.html",
      "https://www.debian.org/security/2022/dsa-5117",
      "https://linux.oracle.com/cve/CVE-2022-26357.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26357"
      ],
      "details": "race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.",
      "id": "GSD-2022-26357",
      "modified": "2023-12-13T01:19:39.233627Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@xen.org",
        "ID": "CVE-2022-26357",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "xen",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "?",
                          "version_value": "consult Xen advisory XSA-399"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Xen"
            }
          ]
        }
      },
      "configuration": {
        "configuration_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "Xen versions 4.11 through 4.16 are vulnerable.  Xen versions 4.10 and\nearlier are not vulnerable.\n\nOnly x86 systems with VT-d IOMMU hardware are vulnerable.  Arm systems\nas well as x86 systems without VT-d hardware or without any IOMMUs in\nuse are not vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability."
              }
            ]
          }
        }
      },
      "credit": {
        "credit_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "This issue was discovered by Jan Beulich of SUSE."
              }
            ]
          }
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed."
          }
        ]
      },
      "impact": {
        "impact_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "The precise impact is system specific, but would typically be a Denial\nof Service (DoS) affecting the entire host.  Privilege escalation and\ninformation leaks cannot be ruled out."
              }
            ]
          }
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "unknown"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://xenbits.xenproject.org/xsa/advisory-399.txt",
            "refsource": "MISC",
            "url": "https://xenbits.xenproject.org/xsa/advisory-399.txt"
          },
          {
            "name": "http://xenbits.xen.org/xsa/advisory-399.html",
            "refsource": "CONFIRM",
            "url": "http://xenbits.xen.org/xsa/advisory-399.html"
          },
          {
            "name": "[oss-security] 20220405 Xen Security Advisory 399 v2 (CVE-2022-26357) - race in VT-d domain ID cleanup",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/04/05/2"
          },
          {
            "name": "DSA-5117",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5117"
          },
          {
            "name": "FEDORA-2022-dfbf7e2372",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/"
          },
          {
            "name": "FEDORA-2022-64b2c02d29",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/"
          },
          {
            "name": "GLSA-202402-07",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202402-07"
          }
        ]
      },
      "workaround": {
        "workaround_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "Not passing through physical devices to untrusted guests will avoid\nthe vulnerability."
              }
            ]
          }
        }
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "28B99675-30A7-4039-A70D-74E03A85625D",
                    "versionEndExcluding": "4.12.0",
                    "versionStartIncluding": "4.11.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "46BE43EA-353A-4E3F-94EB-D35D55BC224E",
                    "versionEndExcluding": "4.16.0",
                    "versionStartIncluding": "4.13.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed."
          },
          {
            "lang": "es",
            "value": "Una carrera en la limpieza del ID de dominio de VT-d Los ID de dominio de Xen presentan hasta 15 bits de ancho. El hardware VT-d puede permitir s\u00f3lo menos de 15 bits para mantener un ID de dominio que asocie un dispositivo f\u00edsico con un dominio particular. Por lo tanto, internamente los ID de dominio de Xen son asignados al rango de valores m\u00e1s peque\u00f1o. La limpieza de las estructuras de mantenimiento de la casa presenta una carrera, lo que permite que los ID de dominio VT-d sean filtrados y que los flushes sean evitados"
          }
        ],
        "id": "CVE-2022-26357",
        "lastModified": "2024-02-04T08:15:10.110",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "HIGH",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "availabilityImpact": "COMPLETE",
                "baseScore": 6.2,
                "confidentialityImpact": "COMPLETE",
                "integrityImpact": "COMPLETE",
                "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              "exploitabilityScore": 1.9,
              "impactScore": 10.0,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.0,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.0,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-04-05T13:15:07.777",
        "references": [
          {
            "source": "security@xen.org",
            "tags": [
              "Mailing List",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/05/2"
          },
          {
            "source": "security@xen.org",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ],
            "url": "http://xenbits.xen.org/xsa/advisory-399.html"
          },
          {
            "source": "security@xen.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/"
          },
          {
            "source": "security@xen.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/"
          },
          {
            "source": "security@xen.org",
            "url": "https://security.gentoo.org/glsa/202402-07"
          },
          {
            "source": "security@xen.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5117"
          },
          {
            "source": "security@xen.org",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-399.txt"
          }
        ],
        "sourceIdentifier": "security@xen.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-362"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.