Home/Product/xen
Product

xen

500 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-23555
>= 4.18.0
Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to
7.1HIGH
 CVE-2026-23554
>= 4.17
The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that mu
7.8HIGH
 CVE-2026-23553
>= 4.6.0
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCP
2.9LOW
 CVE-2025-58150
all versions
Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are writt
8.8HIGH
 CVE-2025-58149
>= 4.0.0
When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device mi
7.5HIGH
 CVE-2025-58148
>= 4.15.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
7.5HIGH
 CVE-2025-58147
>= 4.15.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
7.5HIGH
 CVE-2025-58145
>= 4.12.0 and < 4.17.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
7.5HIGH
 CVE-2025-58144
>= 4.12.0 and < 4.17.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
7.5HIGH
 CVE-2025-58143
>= 4.13.0 and < 4.17.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
9.8CRITICAL
 CVE-2025-58142
>= 4.13.0 and < 4.17.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
9.8CRITICAL
 CVE-2025-27466
>= 4.13.0 and < 4.17.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
9.8CRITICAL
 CVE-2025-1713
>= 4.0.0
When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is requ
7.5HIGH
 CVE-2025-27465
>= 4.9.0
Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an
4.3MEDIUM
 CVE-2024-31144
>= 1.249.0 and <= 1.249.37
For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xap
3.8LOW
 CVE-2024-45819
>= 4.8.0
PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, wh
5.5MEDIUM
 CVE-2024-45818
>= 4.6.0 and < 4.20.0
The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Lock
6.5MEDIUM
 CVE-2024-45817
>= 4.5.0
In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furt
7.3HIGH
 CVE-2024-31146
all versions
When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of res
7.5HIGH
 CVE-2024-31145
>= 4.0.0
Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR")
7.5HIGH
 CVE-2024-31143
>= 4.4.0
An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike fo
7.5HIGH
 CVE-2024-31142
< 4.15.6
Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be us
7.5HIGH
 CVE-2023-46842
>= 3.2.0
Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set
6.5MEDIUM
 CVE-2023-46841
>= 4.14.0
Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET
6.5MEDIUM
 CVE-2023-46840
>= 4.17
Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for
4.1MEDIUM
 CVE-2023-46839
all versions
PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests usi
5.3MEDIUM
 CVE-2023-46837
<= 4.16
Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating gue
3.3LOW
 CVE-2023-46836
all versions
The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed t
4.7MEDIUM
 CVE-2023-46835
all versions
The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address w
5.5MEDIUM
 CVE-2023-34328
>= 4.5.0 and < 4.14.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
5.5MEDIUM
 CVE-2023-34327
>= 4.5.0
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
5.5MEDIUM
 CVE-2023-34326
all versions
The caching invalidation guidelines from the AMD-Vi specification (48882-Rev 3.07-PUB-Oct 2022) is incorrect on some hardware, as
7.8HIGH
 CVE-2023-34325
all versions
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
7.8HIGH
 CVE-2023-34324
all versions
Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parall
4.9MEDIUM
 CVE-2023-34323
< 4.17.0
When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It woul
5.5MEDIUM
 CVE-2023-34322
>= 3.2.0 and < 4.15.0
For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since
7.8HIGH
 CVE-2023-34321
<= 4.16
Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating gue
3.3LOW
 CVE-2023-34320
all versions
Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a cor
5.5MEDIUM
 CVE-2023-4949
all versions
An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-l
8.1HIGH
 CVE-2023-34319
>= 3.2.0
The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all o
7.8HIGH
 CVE-2022-40982
all versions
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R
6.5MEDIUM
 CVE-2023-20588
all versions
A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
5.5MEDIUM
 CVE-2023-20593
all versions
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensiti
5.5MEDIUM
 CVE-2022-4949
all versions
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload'
8.8HIGH
 CVE-2022-42336
all versions
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processor
3.3LOW
 CVE-2022-42335
all versions
x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware
7.8HIGH
 CVE-2022-42334
>= 4.11.0 and <= 4.17.0
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspect
6.5MEDIUM
 CVE-2022-42333
>= 4.11.0 and <= 4.17.0
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspect
8.6HIGH
 CVE-2022-42332
>= 3.2.0
x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware As
7.8HIGH
 CVE-2022-42331
>= 4.5.0 and <= 4.17.0
x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-
5.5MEDIUM
 CVE-2022-42330
all versions
Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xe
7.5HIGH
 CVE-2022-23824
all versions
IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information
5.5MEDIUM
 CVE-2022-42327
all versions
x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can re
7.1HIGH
 CVE-2022-42326
>= 4.9.0
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the
5.5MEDIUM
 CVE-2022-42325
>= 4.9.0
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the
5.5MEDIUM
 CVE-2022-42324
all versions
Oxenstored 32-31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library t
5.5MEDIUM
 CVE-2022-42323
all versions
Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text
5.5MEDIUM
 CVE-2022-42322
all versions
Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text
5.5MEDIUM
 CVE-2022-42321
all versions
Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for
6.5MEDIUM
 CVE-2022-42320
all versions
Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain
7.0HIGH
 CVE-2022-42319
>= 4.9.0
Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to all
6.5MEDIUM
 CVE-2022-42318
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42317
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42316
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42315
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42314
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42313
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42312
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42311
all versions
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains whic
6.5MEDIUM
 CVE-2022-42310
>= 4.9.0 and < 4.13.0
Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malic
5.5MEDIUM
 CVE-2022-42309
all versions
Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong point
8.8HIGH
 CVE-2022-33749
all versions
XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limi
5.3MEDIUM
 CVE-2022-33748
>= 4.0
lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling
5.6MEDIUM
 CVE-2022-33747
all versions
Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physic
3.8LOW
 CVE-2022-33746
>= 4.13.0 and <= 4.16.1
P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant
6.5MEDIUM
 CVE-2022-33745
all versions
insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-2
8.8HIGH
 CVE-2022-29901
all versions
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in
5.6MEDIUM
 CVE-2022-29900
all versions
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitect
6.5MEDIUM
 CVE-2022-33743
all versions
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was
7.8HIGH
 CVE-2022-33742
all versions
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnera
7.1HIGH
 CVE-2022-33741
all versions
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnera
7.1HIGH
 CVE-2022-33740
all versions
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnera
7.1HIGH
 CVE-2022-26365
all versions
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnera
7.1HIGH
 CVE-2022-21166
all versions
Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to p
5.5MEDIUM
 CVE-2022-21127
all versions
Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to po
5.5MEDIUM
 CVE-2022-21125
all versions
Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially e
5.5MEDIUM
 CVE-2022-21123
all versions
Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable
5.5MEDIUM
 CVE-2022-26364
all versions
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains whic
6.7MEDIUM
 CVE-2022-26363
all versions
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains whic
6.7MEDIUM
 CVE-2022-26362
all versions
x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference c
6.4MEDIUM
 CVE-2022-26361
all versions
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains
7.8HIGH
 CVE-2022-26360
all versions
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains
7.8HIGH
 CVE-2022-26359
all versions
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains
7.8HIGH
 CVE-2022-26358
all versions
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains
7.8HIGH
 CVE-2022-26357
>= 4.11.0 and < 4.12.0
race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a
7.0HIGH
 CVE-2022-26356
>= 4.0.0 and < 4.12.0
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_
5.6MEDIUM
 CVE-2022-23960
all versions
Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An atta
5.6MEDIUM
 CVE-2022-23042
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23041
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23040
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23039
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23038
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23037
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23036
all versions
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explai
7.0HIGH
 CVE-2022-23035
>= 4.6.0
Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM gues
4.6MEDIUM
 CVE-2022-23034
>= 3.2.0 and < 4.13.0
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the
5.5MEDIUM
 CVE-2022-23033
>= 4.12.0
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetabl
7.8HIGH
 CVE-2021-28713
all versions
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text e
6.5MEDIUM
 CVE-2021-28712
all versions
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text e
6.5MEDIUM
 CVE-2021-28711
all versions
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text e
6.5MEDIUM
 CVE-2021-28703
< 14.4
grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned p
7.0HIGH
 CVE-2021-28709
>= 3.4.0 and <= 4.12.4
issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which
7.8HIGH
 CVE-2021-28705
>= 3.4.0 and <= 4.12.4
issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which
7.8HIGH
 CVE-2021-28708
>= 4.7.0 and <= 4.15.1
PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabi
8.8HIGH
 CVE-2021-28707
>= 4.7.0 and <= 4.15.1
PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabi
8.8HIGH
 CVE-2021-28706
>= 3.2 and < 4.12
guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issu
8.6HIGH
 CVE-2021-28704
>= 4.7.0 and <= 4.15.1
PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabi
8.8HIGH
 CVE-2021-28710
all versions
certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page ta
8.8HIGH
 CVE-2021-28702
>= 4.13.0 and <= 4.15.1
PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specifi
7.6HIGH
 CVE-2021-28701
>= 4.0.0
Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of
7.8HIGH
 CVE-2021-28700
>= 4.12.0
xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains d
4.9MEDIUM
 CVE-2021-28699
>= 4.10.0
inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. Th
5.5MEDIUM
 CVE-2021-28698
>= 3.2.0
long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappi
5.5MEDIUM
 CVE-2021-28697
>= 4.0.0 and <= 4.15.0
grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of mem
7.8HIGH
 CVE-2021-28696
all versions
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabil
6.8MEDIUM
 CVE-2021-28695
all versions
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabil
6.8MEDIUM
 CVE-2021-28694
all versions
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabil
6.8MEDIUM
 CVE-2021-28693
>= 4.12.0 and <= 4.15.0
xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area befor
5.5MEDIUM
 CVE-2021-28692
>= 3.2.0
inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the
7.1HIGH
 CVE-2021-28690
>= 4.12 and <= 4.15.0
x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerabilit
6.5MEDIUM
 CVE-2021-28689
< 4.12.0
x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when
5.5MEDIUM
 CVE-2021-28687
>= 4.12 and <= 4.15.0
HVM soft-reset crashes toolstack libxl requires all data structures passed across its public interface to be initialized before us
5.5MEDIUM
 CVE-2021-26314
all versions
Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to s
5.5MEDIUM
 CVE-2021-26313
all versions
Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to sp
5.5MEDIUM
 CVE-2021-28039
all versions
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV
6.5MEDIUM
 CVE-2021-27379
>= 3.2.0 and < 4.12.0
An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access,
7.8HIGH
 CVE-2021-26933
>= 4.9.0 and <= 4.14.1
An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the
5.5MEDIUM
 CVE-2021-3308
>= 4.13.1 and <= 4.14.1
An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can
5.5MEDIUM
 CVE-2020-29487
< 2020-12-15
An issue was discovered in Xen XAPI before 2020-12-15. Certain xenstore keys provide feedback from the guest, and are therefore wa
7.5HIGH
 CVE-2020-29486
<= 4.14.0
An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away.
6.0MEDIUM
 CVE-2020-29485
>= 4.6.0 and <= 4.14.0
An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a guest XS_RESET_WATCHES request, not all tracking information
5.5MEDIUM
 CVE-2020-29484
<= 4.14.0
An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will rec
6.0MEDIUM
 CVE-2020-29483
<= 4.14.0
An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol
6.5MEDIUM
 CVE-2020-29482
<= 4.14.0
An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or
6.0MEDIUM
 CVE-2020-29481
<= 4.14.0
An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid. Unfortunately, existing granted acce
8.8HIGH
 CVE-2020-29480
<= 4.14.0
An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstor
2.3LOW
 CVE-2020-29479
<= 4.14.0
An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal representation of the tree has
8.8HIGH
 CVE-2020-29571
>= 4.4.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event chann
6.2MEDIUM
 CVE-2020-29570
>= 4.4.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of point
6.2MEDIUM
 CVE-2020-29569
<= 4.14.1
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend exp
8.8HIGH
 CVE-2020-29568
<= 4.14.1
An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a
6.5MEDIUM
 CVE-2020-29567
<= 4.14.0
An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynam
6.2MEDIUM
 CVE-2020-29566
<= 4.14.0
An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporar
5.5MEDIUM
 CVE-2020-29040
<= 4.14.0
An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cau
8.8HIGH
 CVE-2020-28368
<= 4.14.0
Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a
4.4MEDIUM
 CVE-2020-27674
<= 4.14.0
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memor
5.3MEDIUM
 CVE-2020-27673
<= 4.14.0
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of s
5.5MEDIUM
 CVE-2020-27672
>= 3.2.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corru
7.0HIGH
 CVE-2020-27671
>= 4.2.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of service (data corruptio
7.8HIGH
 CVE-2020-27670
<= 4.14.0
An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a
7.8HIGH
 CVE-2020-25604
<= 4.14.0
An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrati
4.7MEDIUM
 CVE-2020-25603
<= 4.14.0
An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event
7.8HIGH
 CVE-2020-25602
>= 4.11.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_
6.0MEDIUM
 CVE-2020-25601
<= 4.14.0
An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular,
5.5MEDIUM
 CVE-2020-25600
>= 4.4.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-l
5.5MEDIUM
 CVE-2020-25599
>= 4.5.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a
7.0HIGH
 CVE-2020-25598
>= 4.12.0 and <= 4.14.0
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, U
5.5MEDIUM
 CVE-2020-25597
>= 4.4.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn
6.5MEDIUM
 CVE-2020-25596
>= 3.2.0 and <= 4.14.0
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER in
5.5MEDIUM
 CVE-2020-25595
<= 4.14.0
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI han
7.8HIGH
 CVE-2020-15852
<= 4.13.1
An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be
7.8HIGH
 CVE-2020-15567
<= 4.13.1
An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service becau
7.8HIGH
 CVE-2020-15566
>= 4.10.0 and <= 4.13.1
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handlin
6.5MEDIUM
 CVE-2020-15565
>= 3.2.0 and <= 4.13.1
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possi
8.8HIGH
 CVE-2020-15564
>= 4.8.0 and <= 4.13.1
An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignm
6.5MEDIUM
 CVE-2020-15563
>= 4.8.0 and <= 4.13.1
An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditiona
6.5MEDIUM
 CVE-2020-11743
<= 4.13.0
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in
5.5MEDIUM
 CVE-2020-11742
<= 4.13.0
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation ha
5.5MEDIUM
 CVE-2020-11741
<= 4.13.0
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive inf
8.8HIGH
 CVE-2020-11740
>= 3.2.0 and <= 4.13.0
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive
5.5MEDIUM
 CVE-2020-11739
<= 4.13.0
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges be
7.8HIGH
 CVE-2015-6815
all versions
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when send
3.5LOW
 CVE-2019-19583
>= 4.8.0 and <= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) be
7.5HIGH
 CVE-2019-19582
>= 4.8.0 and <= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because cer
6.5MEDIUM
 CVE-2019-19581
>= 4.8.0 and <= 4.12.1
An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds acces
6.5MEDIUM
 CVE-2019-19580
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditi
6.6MEDIUM
 CVE-2019-19578
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of
8.8HIGH
 CVE-2019-19577
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain pr
7.2HIGH
 CVE-2019-19579
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrus
6.8MEDIUM
 CVE-2019-18425
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and usin
9.8CRITICAL
 CVE-2019-18424
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrus
6.8MEDIUM
 CVE-2019-18423
>= 4.8 and <= 4.12.1
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap
8.8HIGH
 CVE-2019-18422
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by lever
8.8HIGH
 CVE-2019-18421
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditi
7.5HIGH
 CVE-2019-18420
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via a VCPUOP_initialise
6.5MEDIUM
 CVE-2019-17349
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a
5.5MEDIUM
 CVE-2019-17348
<= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatib
6.5MEDIUM
 CVE-2019-17347
>= 4.1.0 and <= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges becau
7.8HIGH
 CVE-2019-17346
<= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges becau
8.8HIGH
 CVE-2019-17345
>= 4.8.0 and <= 4.11.2
An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandlin
6.5MEDIUM
 CVE-2019-17344
<= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-run
6.5MEDIUM
 CVE-2019-17343
<= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by le
6.8MEDIUM
 CVE-2019-17342
<= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by le
7.0HIGH
 CVE-2019-17341
<= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by le
7.8HIGH
 CVE-2019-17340
>= 3.2.0 and <= 4.11.2
An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because
8.8HIGH
 CVE-2019-17351
<= 4.12.1
An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest O
6.5MEDIUM
 CVE-2019-17350
<= 4.12.1
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a
5.5MEDIUM
 CVE-2018-19967
<= 4.11.1
An issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS
6.5MEDIUM
 CVE-2018-19966
>= 4.11.0 and <= 4.11.1
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possi
8.8HIGH
 CVE-2018-19965
<= 4.11.1
An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) becau
5.6MEDIUM
 CVE-2018-19964
>= 4.11.0 and <= 4.11.1
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock
6.5MEDIUM
 CVE-2018-19963
all versions
An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host
7.8HIGH
 CVE-2018-19962
<= 4.11.1
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges be
7.8HIGH
 CVE-2018-19961
<= 4.11.1
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges be
7.8HIGH
 CVE-2018-18883
>= 4.9.0 and <= 4.11.0
An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS de
8.8HIGH
 CVE-2018-15471
<= 4.11.0
An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used i
7.8HIGH
 CVE-2018-15470
<= 4.11.0
An issue was discovered in Xen through 4.11.x. The logic in oxenstored for handling writes depended on the order of evaluation of
6.5MEDIUM
 CVE-2018-15469
<= 4.11.0
An issue was discovered in Xen through 4.11.x. ARM never properly implemented grant table v2, either in the hypervisor or in Linux
6.5MEDIUM
 CVE-2018-15468
<= 4.11.0
An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise clea
6.0MEDIUM
 CVE-2018-14678
<= 4.11.0
An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point
7.8HIGH
 CVE-2017-2620
<= 4.7.1
Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access iss
5.5MEDIUM
 CVE-2017-2615
<= 4.7.1
Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It coul
5.5MEDIUM
 CVE-2018-12893
<= 4.10.0
An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelockin
6.5MEDIUM
 CVE-2018-12892
>= 4.7.0 and <= 4.10.1
An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due
9.9CRITICAL
 CVE-2018-12891
<= 4.10.1
An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen expl
6.5MEDIUM
 CVE-2018-10982
<= 4.10.1
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high inte
8.8HIGH
 CVE-2018-10981
<= 4.10.1
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop)
6.5MEDIUM
 CVE-2018-8897
all versions
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandl
7.8HIGH
 CVE-2018-10472
<= 4.10.1
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 f
5.6MEDIUM
 CVE-2018-10471
<= 4.10.1
An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (out-of-bounds zero writ
6.5MEDIUM
 CVE-2018-7542
>= 4.8.0 and <= 4.10.0
An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer der
6.5MEDIUM
 CVE-2018-7541
<= 4.10.0
An issue was discovered in Xen through 4.10.x allowing guest OS users to cause a denial of service (hypervisor crash) or gain priv
8.8HIGH
 CVE-2018-7540
<= 4.10.0
An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via n
6.5MEDIUM
 CVE-2018-5244
>= 4.10.0
In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one
6.5MEDIUM
 CVE-2017-17566
<= 4.9.1
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host
7.8HIGH
 CVE-2017-17565
<= 4.9.1
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mod
5.6MEDIUM
 CVE-2017-17564
<= 4.9.1
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS
7.8HIGH
 CVE-2017-17563
<= 4.9.1
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS
7.8HIGH
 CVE-2017-17046
<= 4.9.1
An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM
6.5MEDIUM
 CVE-2017-17045
<= 4.9.1
An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive infor
8.8HIGH
 CVE-2017-17044
<= 4.9.1
An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS h
6.5MEDIUM
 CVE-2017-15597
<= 4.9.0
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a
9.1CRITICAL
 CVE-2017-15596
all versions
An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU
6.0MEDIUM
 CVE-2017-15595
<= 4.9.0
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, sta
8.8HIGH
 CVE-2017-15594
<= 4.9.0
An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or
8.8HIGH
 CVE-2017-15593
<= 4.9.0
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because ref
6.5MEDIUM
 CVE-2017-15592
<= 4.9.0
An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or po
8.8HIGH
 CVE-2017-15591
all versions
An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a
6.5MEDIUM
 CVE-2017-15590
all versions
An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possib
8.8HIGH
 CVE-2017-15589
all versions
An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or
6.5MEDIUM
 CVE-2017-15588
all versions
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a
7.8HIGH
 CVE-2015-7504
all versions
Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denia
8.8HIGH
 CVE-2017-14431
all versions
Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption
5.5MEDIUM
 CVE-2017-14319
<= 4.9.0
A grant unmapping issue was discovered in Xen through 4.9.x. When removing or replacing a grant mapping, the x86 PV specific path
8.8HIGH
 CVE-2017-14318
all versions
An issue was discovered in Xen 4.5.x through 4.9.x. The function __gnttab_cache_flush handles GNTTABOP_cache_flush grant table o
6.5MEDIUM
 CVE-2017-14317
<= 4.9.0
A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with
5.6MEDIUM
 CVE-2017-14316
<= 4.9.0
A parameter verification issue was discovered in Xen through 4.9.x. The function alloc_heap_pages allows callers to specify the
8.8HIGH
 CVE-2017-12137
all versions
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
8.8HIGH
 CVE-2017-12136
all versions
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of servic
7.8HIGH
 CVE-2017-12135
all versions
Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges v
8.8HIGH
 CVE-2017-12134
all versions
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device d
8.8HIGH
 CVE-2017-12855
all versions
Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to
6.5MEDIUM
 CVE-2017-10923
all versions
Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial o
6.5MEDIUM
 CVE-2017-10922
<= 4.8.1
The grant-table feature in Xen through 4.8.x mishandles MMIO region grant references, which allows guest OS users to cause a denia
7.5HIGH
 CVE-2017-10921
<= 4.8.1
The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map ma
10.0CRITICAL
 CVE-2017-10920
<= 4.8.1
The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed by only a G
10.0CRITICAL
 CVE-2017-10919
<= 4.8.1
Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor cra
6.5MEDIUM
 CVE-2017-10918
<= 4.8.1
Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privil
10.0CRITICAL
 CVE-2017-10917
<= 4.8.1
Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial
9.1CRITICAL
 CVE-2017-10916
all versions
The vCPU context-switch implementation in Xen through 4.8.x improperly interacts with the Memory Protection Extensions (MPX) and P
7.5HIGH
 CVE-2017-10915
<= 4.8.1
The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allo
9.0CRITICAL
 CVE-2017-10914
<= 4.8.1
The grant-table feature in Xen through 4.8.x has a race condition leading to a double free, which allows guest OS users to cause a
8.1HIGH
 CVE-2017-10913
<= 4.8.1
The grant-table feature in Xen through 4.8.x provides false mapping information in certain cases of concurrent unmap calls, which
9.8CRITICAL
 CVE-2017-10912
<= 4.8.1
Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217.
10.0CRITICAL
 CVE-2017-8905
all versions
Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary cod
8.8HIGH
 CVE-2017-8904
all versions
Xen through 4.8.x mishandles the "contains segment descriptors" property during GNTTABOP_transfer (aka guest transfer) operations,
8.8HIGH
 CVE-2017-8903
all versions
Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hypercall, which might allow PV guest OS users to execu
8.8HIGH
 CVE-2017-7995
<= 4.2.5
Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space me
3.8LOW
 CVE-2017-7228
all versions
An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA
8.2HIGH
 CVE-2016-9818
all versions
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous
6.5MEDIUM
 CVE-2016-9817
all versions
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2
6.5MEDIUM
 CVE-2016-9816
all versions
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous
6.5MEDIUM
 CVE-2016-9815
all versions
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.
6.5MEDIUM
 CVE-2016-9384
all versions
Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table.
6.5MEDIUM
 CVE-2016-9378
all versions
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, al
5.5MEDIUM
 CVE-2016-9377
all versions
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, al
5.5MEDIUM
 CVE-2016-9932
all versions
CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from
3.3LOW
 CVE-2016-10025
all versions
VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS
5.5MEDIUM
 CVE-2016-10024
<= 4.8.0
Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifyin
6.0MEDIUM
 CVE-2016-10013
<= 4.8.0
Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep du
7.8HIGH
 CVE-2016-9386
all versions
The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM g
7.8HIGH
 CVE-2016-9385
all versions
The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause
6.0MEDIUM
 CVE-2016-9383
all versions
Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensi
8.8HIGH
 CVE-2016-9382
all versions
Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privile
7.8HIGH
 CVE-2016-9380
all versions
The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administ
7.5HIGH
 CVE-2016-9379
all versions
The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administr
7.9HIGH
 CVE-2016-7777
<= 4.7.0
Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU,
6.3MEDIUM
 CVE-2016-7154
all versions
Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of
6.7MEDIUM
 CVE-2016-7094
<= 4.7.0
Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to caus
4.1MEDIUM
 CVE-2016-7093
all versions
Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS p
8.2HIGH
 CVE-2016-7092
all versions
The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges v
8.2HIGH
 CVE-2016-6259
all versions
Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event deliv
6.2MEDIUM
 CVE-2016-6258
all versions
The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS pri
8.8HIGH
 CVE-2016-5242
all versions
The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domai
5.6MEDIUM
 CVE-2016-4963
all versions
The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of s
4.7MEDIUM
 CVE-2016-4962
all versions
The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource con
6.7MEDIUM
 CVE-2014-3672
all versions
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consum
6.5MEDIUM
 CVE-2016-4480
<= 4.6.1
The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) pa
8.4HIGH
 CVE-2016-3960
all versions
Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or
8.8HIGH
 CVE-2016-3961
<= 4.5.3
Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS
5.5MEDIUM
 CVE-2015-8554
<= 4.6.1
Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows lo
7.5HIGH
 CVE-2015-8550
all versions
Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash
8.2HIGH
 CVE-2016-3159
>= 4.3.0 and <= 4.3.4
The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on
3.8LOW
 CVE-2016-3158
<= 4.4.0
The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD
3.8LOW
 CVE-2015-8555
all versions
Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to ma
8.6HIGH
 CVE-2015-8553
all versions
Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling me
6.5MEDIUM
 CVE-2015-8552
all versions
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows loca
4.4MEDIUM
 CVE-2016-3157
all versions
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xe
7.8HIGH
 CVE-2016-2271
all versions
VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest c
5.5MEDIUM
 CVE-2016-2270
<= 4.6.1
Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple
6.8MEDIUM
 CVE-2016-1571
all versions
The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtual
6.3MEDIUM
 CVE-2016-1570
all versions
The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sens
8.5HIGH
 CVE-2015-8615
all versions
The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when loggi
5.0MEDIUM
 CVE-2015-8341
all versions
The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ram
 CVE-2015-8340
all versions
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow gues
 CVE-2015-8339
all versions
The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which mi
 CVE-2015-8338
<= 4.6.0
Xen 4.6.x and earlier does not properly enforce limits on page order inputs for the (1) XENMEM_increase_reservation, (2) XENMEM_po
 CVE-2015-7812
all versions
The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a den
 CVE-2015-8104
all versions
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of servi
10.0CRITICAL
 CVE-2015-5307
all versions
The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of servi
 CVE-2015-7972
all versions
The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in X
 CVE-2015-7971
all versions
Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, wh
 CVE-2015-7970
all versions
The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows loca
 CVE-2015-7969
all versions
Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a deni
 CVE-2015-7835
all versions
The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which a
 CVE-2015-7814
<= 4.6.0
Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6.x and earlier allows local domains with partial m
 CVE-2015-7813
all versions
Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which al
 CVE-2015-7311
all versions
libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which a
 CVE-2015-6654
all versions
The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk conso
 CVE-2015-5166
<= 4.5.0
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows loca
 CVE-2015-5165
<= 4.5.0
The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote at
 CVE-2015-5154
<= 4.5.0
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive en
 CVE-2015-3259
all versions
Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain pr
 CVE-2015-4164
all versions
The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administ
 CVE-2015-4163
all versions
GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains
 CVE-2015-4105
all versions
Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a de
 CVE-2015-4104
all versions
Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a
 CVE-2015-4103
all versions
Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM gue
 CVE-2015-3456
all versions
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of
 CVE-2015-3340
all versions
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive inform
 CVE-2015-0777
all versions
drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used i
 CVE-2015-2756
all versions
QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM
 CVE-2015-2752
all versions
The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptible, which
 CVE-2015-2751
all versions
Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a
 CVE-2015-2152
<= 4.5.0
Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configu
 CVE-2015-2151
all versions
The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, wh
 CVE-2015-2150
all versions
Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might
 CVE-2015-2045
all versions
The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local g
 CVE-2015-2044
all versions
The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local
 CVE-2015-0268
all versions
The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running on ARM hardware with general interrupt controller (GI
 CVE-2015-1563
all versions
The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large
 CVE-2014-6268
all versions
The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors i
 CVE-2015-0361
all versions
Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via
 CVE-2014-9066
<= 4.4.1
Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 g
 CVE-2014-9065
<= 4.4.1
common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to ca
 CVE-2014-8867
<= 3.2.0
The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory
 CVE-2014-8866
all versions
The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows loca
 CVE-2014-9030
all versions
The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remo
 CVE-2014-8595
all versions
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest use
 CVE-2014-8594
all versions
The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, wh
 CVE-2014-5148
all versions
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an ins
 CVE-2014-7188
all versions
The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation
 CVE-2014-7156
all versions
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permi
 CVE-2014-7155
<= 4.4.0
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode pe
 CVE-2014-7154
all versions
Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty vide
 CVE-2014-5147
all versions
Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a differen
 CVE-2014-5149
all versions
Certain MMU virtualization operations in Xen 4.2.x through 4.4.x, when using shadow pagetables, are not preemptible, which allows
 CVE-2014-5146
all versions
Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (
 CVE-2014-4022
all versions
The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize
 CVE-2014-4021
all versions
Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain se
 CVE-2014-3969
all versions
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest
 CVE-2014-3968
all versions
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (h
 CVE-2014-3967
all versions
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, wh
 CVE-2014-3717
all versions
Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory
 CVE-2014-3716
all versions
Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified fiel
 CVE-2014-3715
all versions
Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit gu
 CVE-2014-3714
all versions
The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system
 CVE-2014-3124
all versions
The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hyperv
 CVE-2014-3125
all versions
Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest user
 CVE-2014-2986
all versions
The vgic_distr_mmio_write function in the virtual guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, whe
 CVE-2014-2915
all versions
Xen 4.4.x, when running on ARM systems, does not properly restrict access to hardware features, which allows local guest users to
 CVE-2014-2580
all versions
The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest adm
 CVE-2014-1896
all versions
The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause
 CVE-2014-1895
all versions
Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum nu
 CVE-2014-1894
<= 3.2.3
Multiple integer overflows in unspecified suboperations in the flask hypercall in Xen 3.2.x and earlier, when XSM is enabled, allo
 CVE-2014-1893
<= 4.1.6.1
Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x
 CVE-2014-1892
all versions
Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory a
 CVE-2014-1891
<= 4.3.0
Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3) FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations
 CVE-2011-3346
all versions
Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with
 CVE-2014-2599
all versions
The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest admin
 CVE-2014-1950
all versions
Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack,
 CVE-2014-1666
all versions
The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYS
 CVE-2014-1642
all versions
The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certai
 CVE-2013-4375
all versions
The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guest
 CVE-2011-1936
all versions
Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction e
 CVE-2011-1780
all versions
The instruction emulation in Xen 3.0.3 allows local SMP guest users to cause a denial of service (host crash) by replacing the ins
 CVE-2011-1763
all versions
The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges v
 CVE-2011-1166
<= 4.0.1
Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execut
 CVE-2011-2519
< 3.3.0
Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a deni
 CVE-2013-4554
all versions
Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to
 CVE-2013-4553
all versions
The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_
 CVE-2013-6400
all versions
Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB f
 CVE-2013-6375
all versions
Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translati
 CVE-2013-4551
all versions
Xen 4.2.x and 4.3.x, when nested virtualization is disabled, does not properly check the emulation paths for (1) VMLAUNCH and (2)
 CVE-2013-4416
all versions
The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, and 4.3.x allows local guest domains to cause a denial of ser
 CVE-2013-4494
>= 4.1.0 and <= 4.1.6.1
Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local gu
 CVE-2013-4371
all versions
Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when runnin
 CVE-2013-4370
all versions
The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for
 CVE-2013-4369
all versions
The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL
 CVE-2013-4368
<= 4.3.0
The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitiali
 CVE-2013-4356
all versions
Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when live migration is performed on hosts with more than 5TB of
 CVE-2013-4361
all versions
The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, whic
 CVE-2013-4355
<= 4.3.0
Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via
 CVE-2011-2901
<= 3.3.0
Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of se
 CVE-2013-1442
all versions
Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAV
 CVE-2013-4329
all versions
The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI pas
 CVE-2013-3495
all versions
The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x allows local guests to cause a denial of service (kernel pani
 CVE-2013-2212
all versions
The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I
 CVE-2013-2211
all versions
The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualis
 CVE-2013-2077
all versions
Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a deni
 CVE-2013-2076
all versions
Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXR
 CVE-2013-2072
all versions
Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators
 CVE-2013-1432
all versions
Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup
 CVE-2013-2196
<= 4.2.2
Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with cer
 CVE-2013-2195
<= 4.2.2
The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified
 CVE-2013-2194
<= 4.2.2
Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permi
 CVE-2013-2078
all versions
Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users to cause a denial of service (hypervisor crash) via certain
 CVE-2013-1964
all versions
Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest
 CVE-2013-1952
all versions
Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge
 CVE-2013-1922
all versions
qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS
 CVE-2013-1919
all versions
Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and c
 CVE-2013-1918
all versions
Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to
 CVE-2013-1917
all versions
Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instr
 CVE-2013-1920
all versions
Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled
 CVE-2013-0215
all versions
oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly consider the state of the Xenstore ring during read operati
 CVE-2013-0151
all versions
The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x86_32 platform does not prevent HVM_PARAM_NESTEDHVM (aka nes
 CVE-2013-0153
all versions
The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt
 CVE-2012-5634
all versions
Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, does not properly configure VT-d when supporting a device th
 CVE-2013-0231
all versions
The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux k
 CVE-2013-0152
all versions
Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing n
 CVE-2013-0154
all versions
The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators
 CVE-2012-6333
all versions
Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physi
 CVE-2012-5525
all versions
The get_page_from_gfn hypercall function in Xen 4.2 allows local PV guest OS administrators to cause a denial of service (crash) v
 CVE-2012-5515
<= 4.2.0
The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow
 CVE-2012-5514
<= 4.2.0
The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking
 CVE-2012-5513
<= 4.2.0
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS admi
 CVE-2012-5511
all versions
Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS adminis
 CVE-2012-5510
all versions
Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing th
 CVE-2011-3131
<= 4.1.1
Xen 4.1.1 and earlier allows local guest OS kernels with control of a PCI[E] device to cause a denial of service (CPU consumption
 CVE-2012-3432
all versions
The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does
 CVE-2012-2934
all versions
Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, does not properly protect against a certain AMD processor bu
 CVE-2012-0218
all versions
Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler for a syscall or sysenter instruction, does not properly cle
 CVE-2012-4538
all versions
The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pa
 CVE-2012-3433
all versions
Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of service (domain 0 VCPU hang and kernel panic) by modifying
 CVE-2012-6036
all versions
The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory
 CVE-2012-6035
all versions
The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids,
 CVE-2012-6034
all versions
The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in t
 CVE-2012-6033
all versions
The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which
 CVE-2012-6032
all versions
Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM)
 CVE-2012-6031
all versions
The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial o
 CVE-2012-6030
all versions
The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of
 CVE-2012-4411
all versions
The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information v
 CVE-2012-3516
all versions
The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServer 6.0.2 allows local guest ke
 CVE-2012-3515
all versions
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows l
 CVE-2012-3498
all versions
PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest OS kernels to cause a denial o
 CVE-2012-3497
all versions
(1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Tra
 CVE-2012-3496
all versions
XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used
 CVE-2012-3495
all versions
The physdev_get_free_pirq hypercall in arch/x86/physdev.c in Xen 4.1.x and Citrix XenServer 6.0.2 and earlier uses the return valu
 CVE-2012-3494
all versions
The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when ru
 CVE-2012-4539
all versions
Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a deni
 CVE-2012-4537
all versions
Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry fu
 CVE-2012-4536
all versions
The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a deni
 CVE-2012-4535
all versions
Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinit
 CVE-2012-4544
<= 4.2.0
The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompres
 CVE-2012-2625
< 25589\:60f09d1ab1fe
The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest u
 CVE-2012-0217
<= 4.1.2
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other prod
 CVE-2011-3262
all versions
tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allows local users to cause a denial of service (management softw
 CVE-2011-1898
all versions
Xen 4.1 before 4.1.1 and 4.0 before 4.0.2, when using PCI passthrough on Intel VT-d chipsets that do not have interrupt remapping,
 CVE-2011-1583
all versions
Multiple integer overflows in tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allow local users to cause a denial
 CVE-2010-4255
<= 4.0.1
The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled
 CVE-2010-4238
all versions
The vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 is used, allows guest OS u
 CVE-2010-4247
<= 3.3.2
The do_block_io_op function in (1) drivers/xen/blkback/blkback.c and (2) drivers/xen/blktap/blktap.c in Xen before 3.4.0 for the L
 CVE-2010-3699
all versions
The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the devi
 CVE-2010-2070
all versions
arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and possibly other kernel versions, when running on IA-64 archit
 CVE-2009-3525
all versions
The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized g
 CVE-2009-1758
<= 3.3.1
The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably ot
 CVE-2008-5716
all versions
xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which all
 CVE-2008-4993
all versions
qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file.
 CVE-2008-4405
all versions
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restric
 CVE-2008-3687
all versions
Heap-based buffer overflow in the flask_security_label function in Xen 3.3, when compiled with the XSM:FLASK module, allows unpriv
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin