{"containers": {"cna": {"affected": [{"product": "xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-401"}]}], "credits": [{"lang": "en", "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Jann Horn of Google Project Zero.'}]}}}"}], "descriptions": [{"lang": "en", "value": "x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited."}], "metrics": [{"other": {"content": {"description": {"description_data": [{"lang": "eng", "value": "Malicious x86 PV guest administrators may be able to escalate privilege\nso as to control the whole system."}]}}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "unknown", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-14T20:11:19.000Z", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://xenbits.xenproject.org/xsa/advisory-401.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://xenbits.xen.org/xsa/advisory-401.html"}, {"name": "[oss-security] 20220609 Xen Security Advisory 401 v2 (CVE-2022-26362) - x86 pv: Race condition in typeref acquisition", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/06/09/3"}, {"name": "FEDORA-2022-0142d562ca", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html"}, {"name": "DSA-5184", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5184"}, {"name": "FEDORA-2022-2c9f8224f8", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/"}, {"name": "GLSA-202208-23", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-23"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@xen.org", "ID": "CVE-2022-26362", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xen", "version": {"version_data": [{"version_affected": "?", "version_value": "consult Xen advisory XSA-401"}]}}]}, "vendor_name": "Xen"}]}}, "configuration": {"configuration_data": {"description": {"description_data": [{"lang": "eng", "value": "All versions of Xen are vulnerable.\n\nOnly x86 PV guests can trigger this vulnerability.\n\nTo exploit the vulnerability, there needs to be an undue delay at just\nthe wrong moment in _get_page_type(). The degree to which an x86 PV\nguest can practically control this race condition is unknown."}]}}}, "credit": {"credit_data": {"description": {"description_data": [{"lang": "eng", "value": "This issue was discovered by Jann Horn of Google Project Zero."}]}}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited."}]}, "impact": {"impact_data": {"description": {"description_data": [{"lang": "eng", "value": "Malicious x86 PV guest administrators may be able to escalate privilege\nso as to control the whole system."}]}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "unknown"}]}]}, "references": {"reference_data": [{"name": "https://xenbits.xenproject.org/xsa/advisory-401.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-401.txt"}, {"name": "http://xenbits.xen.org/xsa/advisory-401.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-401.html"}, {"name": "[oss-security] 20220609 Xen Security Advisory 401 v2 (CVE-2022-26362) - x86 pv: Race condition in typeref acquisition", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/06/09/3"}, {"name": "FEDORA-2022-0142d562ca", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/"}, {"name": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html"}, {"name": "DSA-5184", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5184"}, {"name": "FEDORA-2022-2c9f8224f8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/"}, {"name": "GLSA-202208-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-23"}]}, "workaround": {"workaround_data": {"description": {"description_data": [{"lang": "eng", "value": "Not running x86 PV guests will avoid the vulnerability."}]}}}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:32.792Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://xenbits.xenproject.org/xsa/advisory-401.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://xenbits.xen.org/xsa/advisory-401.html"}, {"name": "[oss-security] 20220609 Xen Security Advisory 401 v2 (CVE-2022-26362) - x86 pv: Race condition in typeref acquisition", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/06/09/3"}, {"name": "FEDORA-2022-0142d562ca", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html"}, {"name": "DSA-5184", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5184"}, {"name": "FEDORA-2022-2c9f8224f8", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/"}, {"name": "GLSA-202208-23", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-23"}]}]}, "cveMetadata": {"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-26362", "datePublished": "2022-06-09T12:50:19.000Z", "dateReserved": "2022-03-02T00:00:00.000Z", "dateUpdated": "2024-08-03T05:03:32.792Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "matchCriteriaId": "EF4E17C2-244F-4E5A-A5F8-4626CD1AC11A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited."}, {"lang": "es", "value": "x86 pv: Una condici\u00f3n de carrera en la adquisici\u00f3n de typeref Xen mantiene un recuento de referencias de tipo para las p\u00e1ginas, adem\u00e1s de un recuento de referencias regular. Este esquema es usado para mantener invariantes requeridos para la seguridad de Xen, por ejemplo, los hu\u00e9spedes PV no pueden tener acceso directo de escritura a las tablas de p\u00e1ginas; las actualizaciones necesitan ser auditadas por Xen. Desafortunadamente, la l\u00f3gica para adquirir una referencia de tipo presenta una condici\u00f3n de carrera, por la cual un vaciado seguro de la TLB es emitido demasiado pronto y crea una ventana donde el hu\u00e9sped puede restablecer el mapeo de lectura/escritura antes de que sea prohibida la escritura"}], "id": "CVE-2022-26362", "lastModified": "2024-11-21T06:53:49.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-09T17:15:08.957", "references": [{"source": "security@xen.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html"}, {"source": "security@xen.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/06/09/3"}, {"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://xenbits.xen.org/xsa/advisory-401.html"}, {"source": "security@xen.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/"}, {"source": "security@xen.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/"}, {"source": "security@xen.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-23"}, {"source": "security@xen.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5184"}, {"source": "security@xen.org", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-401.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/06/09/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://xenbits.xen.org/xsa/advisory-401.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5184"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-401.txt"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}