CVE-2022-26362

{"id": "CVE-2022-26362", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "published": "2022-06-09T17:15:08.957", "references": [{"url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@xen.org"}, {"url": "http://www.openwall.com/lists/oss-security/2022/06/09/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@xen.org"}, {"url": "http://xenbits.xen.org/xsa/advisory-401.html", "tags": ["Patch", "Vendor Advisory"], "source": "security@xen.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/", "source": "security@xen.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/", "source": "security@xen.org"}, {"url": "https://security.gentoo.org/glsa/202208-23", "tags": ["Third Party Advisory"], "source": "security@xen.org"}, {"url": "https://www.debian.org/security/2022/dsa-5184", "tags": ["Third Party Advisory"], "source": "security@xen.org"}, {"url": "https://xenbits.xenproject.org/xsa/advisory-401.txt", "tags": ["Vendor Advisory"], "source": "security@xen.org"}, {"url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2022/06/09/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://xenbits.xen.org/xsa/advisory-401.html", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202208-23", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2022/dsa-5184", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://xenbits.xenproject.org/xsa/advisory-401.txt", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited."}, {"lang": "es", "value": "x86 pv: Una condici\u00f3n de carrera en la adquisici\u00f3n de typeref Xen mantiene un recuento de referencias de tipo para las p\u00e1ginas, adem\u00e1s de un recuento de referencias regular. Este esquema es usado para mantener invariantes requeridos para la seguridad de Xen, por ejemplo, los hu\u00e9spedes PV no pueden tener acceso directo de escritura a las tablas de p\u00e1ginas; las actualizaciones necesitan ser auditadas por Xen. Desafortunadamente, la l\u00f3gica para adquirir una referencia de tipo presenta una condici\u00f3n de carrera, por la cual un vaciado seguro de la TLB es emitido demasiado pronto y crea una ventana donde el hu\u00e9sped puede restablecer el mapeo de lectura/escritura antes de que sea prohibida la escritura"}], "lastModified": "2024-11-21T06:53:49.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "vulnerable": true, "matchCriteriaId": "EF4E17C2-244F-4E5A-A5F8-4626CD1AC11A"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "security@xen.org"}