Improper Privilege Management Affecting xen package, versions <4.14.3+32-g9de3671772-1~deb11u1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.24% (65th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Privilege Management vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN11-XEN-1728368
  • published6 Oct 2021
  • disclosed6 Oct 2021

Introduced: 6 Oct 2021

CVE-2021-28702  (opens in a new tab)
CWE-269  (opens in a new tab)

How to fix?

Upgrade Debian:11 xen to version 4.14.3+32-g9de3671772-1~deb11u1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xen package and not the xen package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO Pagetables. Subsequent DMA or interrupts from the device will have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVSS Scores

version 3.1