{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34322", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-06-01T10:44:17.065Z", "datePublished": "2024-01-05T16:18:01.363Z", "dateUpdated": "2025-06-16T18:28:59.286Z"}, "containers": {"cna": {"title": "top-level shadow reference dropped too early for 64-bit PV guests", "datePublic": "2023-09-19T12:00:00.000Z", "descriptions": [{"lang": "en", "value": "For migration as well as to work around kernels unaware of L1TF (see\nXSA-273), PV guests may be run in shadow paging mode. Since Xen itself\nneeds to be mapped when PV guests run, Xen and shadowed PV guests run\ndirectly the respective shadow page tables. For 64-bit PV guests this\nmeans running on the shadow of the guest root page table.\n\nIn the course of dealing with shortage of memory in the shadow pool\nassociated with a domain, shadows of page tables may be torn down. This\ntearing down may include the shadow root page table that the CPU in\nquestion is presently running on. While a precaution exists to\nsupposedly prevent the tearing down of the underlying live page table,\nthe time window covered by that precaution isn't large enough.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks all cannot be ruled out.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-438"}]}], "configurations": [{"lang": "en", "value": "All Xen versions from at least 3.2 onwards are vulnerable. Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable. Only 64-bit PV guests can leverage the\nvulnerability, and only when running in shadow mode. Shadow mode would\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF).\n"}], "workarounds": [{"lang": "en", "value": "Running only HVM or PVH guests will avoid the vulnerability.\n\nRunning PV guests in the PV shim will also avoid the vulnerability.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-438.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:18:01.363Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.455Z"}, "title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-438.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-273", "lang": "en", "description": "CWE-273 Improper Check for Dropped Privileges"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-27T15:50:09.329667Z", "id": "CVE-2023-34322", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T18:28:59.286Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-438.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.455Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-34322", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-27T15:50:09.329667Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-273", "description": "CWE-273 Improper Check for Dropped Privileges"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T15:51:03.882Z"}}], "cna": {"title": "top-level shadow reference dropped too early for 64-bit PV guests", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks all cannot be ruled out.\n"}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-438"}], "defaultStatus": "unknown"}], "datePublic": "2023-09-19T12:00:00.000Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-438.html"}], "workarounds": [{"lang": "en", "value": "Running only HVM or PVH guests will avoid the vulnerability.\n\nRunning PV guests in the PV shim will also avoid the vulnerability.\n"}], "descriptions": [{"lang": "en", "value": "For migration as well as to work around kernels unaware of L1TF (see\nXSA-273), PV guests may be run in shadow paging mode. Since Xen itself\nneeds to be mapped when PV guests run, Xen and shadowed PV guests run\ndirectly the respective shadow page tables. For 64-bit PV guests this\nmeans running on the shadow of the guest root page table.\n\nIn the course of dealing with shortage of memory in the shadow pool\nassociated with a domain, shadows of page tables may be torn down. This\ntearing down may include the shadow root page table that the CPU in\nquestion is presently running on. While a precaution exists to\nsupposedly prevent the tearing down of the underlying live page table,\nthe time window covered by that precaution isn't large enough.\n"}], "configurations": [{"lang": "en", "value": "All Xen versions from at least 3.2 onwards are vulnerable. Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable. Only 64-bit PV guests can leverage the\nvulnerability, and only when running in shadow mode. Shadow mode would\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF).\n"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:18:01.363Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34322", "state": "PUBLISHED", "dateUpdated": "2025-06-16T18:28:59.286Z", "dateReserved": "2023-06-01T10:44:17.065Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2024-01-05T16:18:01.363Z", "assignerShortName": "XEN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "matchCriteriaId": "4E4B3C8C-CD2C-4F4F-8F8F-8E1B769333E7", "versionEndExcluding": "4.15.0", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "For migration as well as to work around kernels unaware of L1TF (see\nXSA-273), PV guests may be run in shadow paging mode. Since Xen itself\nneeds to be mapped when PV guests run, Xen and shadowed PV guests run\ndirectly the respective shadow page tables. For 64-bit PV guests this\nmeans running on the shadow of the guest root page table.\n\nIn the course of dealing with shortage of memory in the shadow pool\nassociated with a domain, shadows of page tables may be torn down. This\ntearing down may include the shadow root page table that the CPU in\nquestion is presently running on. While a precaution exists to\nsupposedly prevent the tearing down of the underlying live page table,\nthe time window covered by that precaution isn't large enough.\n"}, {"lang": "es", "value": "Para la migraci\u00f3n, as\u00ed como para evitar kernels que no conocen L1TF (consulte XSA-273), los invitados PV pueden ejecutarse en modo de p\u00e1gina oculta. Dado que el propio Xen debe mapearse cuando se ejecutan las maquinas PV de invitado, Xen y las shadowed PV de invitado ejecutan directamente las respectivas tablas de p\u00e1ginas ocultas. Para invitados PV de 64 bits, esto significa ejecutar en la shadow de la tabla de p\u00e1gina ra\u00edz del invitado. Al tratar con la escasez de memoria en el shadow pool asociado con un dominio, es posible que se eliminen las tablas de p\u00e1ginas de shadows. Esta eliminaci\u00f3n puede incluir la shadow de la tabla de p\u00e1gina ra\u00edz en la que se est\u00e1 ejecutando actualmente la CPU en cuesti\u00f3n. Si bien existe una precauci\u00f3n para supuestamente evitar la eliminaci\u00f3n de la tabla de las p\u00e1ginas activas subyacente, el per\u00edodo de tiempo cubierto por esa precauci\u00f3n no es lo suficientemente grande."}], "id": "CVE-2023-34322", "lastModified": "2025-06-16T19:15:22.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-05T17:15:08.447", "references": [{"source": "security@xen.org", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-438.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-438.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-273"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-273"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}