CVE-2023-34326 - Vulnerability Details - OpenCVE

The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction
(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU
TLB is not flushed.

Such stale DMA mappings can point to memory ranges not owned by the guest, thus
allowing access to unindented memory regions.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Xen	Xen

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-38407	The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions.

Fixes

Solution

No solution given by the vendor.

Workaround

Not passing through physical devices to guests will avoid the vulnerability.

References

Link	Providers
http://xenbits.xen.org/xsa/advisory-442.html
https://xenbits.xenproject.org/xsa/advisory-442.html

History

Tue, 04 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		http://xenbits.xen.org/xsa/advisory-442.html

Wed, 18 Jun 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-672
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: XEN

Published: 2024-01-05T16:30:57.225Z

Updated: 2025-11-04T19:16:39.858Z

Reserved: 2023-06-01T10:44:17.065Z

Link: CVE-2023-34326

Vulnrichment

Updated: 2024-08-02T16:10:06.955Z

NVD

Status : Modified

Published: 2024-01-05T17:15:08.637

Modified: 2025-11-04T20:16:31.033

Link: CVE-2023-34326

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-34326", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-06-01T10:44:17.065Z", "datePublished": "2024-01-05T16:30:57.225Z", "dateUpdated": "2025-11-04T19:16:39.858Z"}, "containers": {"cna": {"title": "x86/AMD: missing IOMMU TLB flushing", "datePublic": "2023-10-10T11:26:00.000Z", "descriptions": [{"lang": "en", "value": "The caching invalidation guidelines from the AMD-Vi specification (48882\u2014Rev\n3.07-PUB\u2014Oct 2022) is incorrect on some hardware, as devices will malfunction\n(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU\nTLB is not flushed.\n\nSuch stale DMA mappings can point to memory ranges not owned by the guest, thus\nallowing access to unindented memory regions.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-442"}]}], "configurations": [{"lang": "en", "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"}], "workarounds": [{"lang": "en", "value": "Not passing through physical devices to guests will avoid the vulnerability.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-442.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:30:57.225Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-442.html", "tags": ["x_transferred"]}, {"url": "http://xenbits.xen.org/xsa/advisory-442.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T19:16:39.858Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-672", "lang": "en", "description": "CWE-672 Operation on a Resource after Expiration or Release"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-14T20:27:29.871651Z", "id": "CVE-2023-34326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-18T15:48:27.234Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-442.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.955Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-34326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-14T20:27:29.871651Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-672", "description": "CWE-672 Operation on a Resource after Expiration or Release"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-18T15:47:52.296Z"}}], "cna": {"title": "x86/AMD: missing IOMMU TLB flushing", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks.\n"}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-442"}], "defaultStatus": "unknown"}], "datePublic": "2023-10-10T11:26:00.000Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-442.html"}], "workarounds": [{"lang": "en", "value": "Not passing through physical devices to guests will avoid the vulnerability.\n"}], "descriptions": [{"lang": "en", "value": "The caching invalidation guidelines from the AMD-Vi specification (48882\u2014Rev\n3.07-PUB\u2014Oct 2022) is incorrect on some hardware, as devices will malfunction\n(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU\nTLB is not flushed.\n\nSuch stale DMA mappings can point to memory ranges not owned by the guest, thus\nallowing access to unindented memory regions.\n"}], "configurations": [{"lang": "en", "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:30:57.225Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34326", "state": "PUBLISHED", "dateUpdated": "2025-06-18T15:48:27.234Z", "dateReserved": "2023-06-01T10:44:17.065Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2024-01-05T16:30:57.225Z", "assignerShortName": "XEN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2B9CCC2-BAC5-4A65-B8D4-4B71EBBA0C2F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The caching invalidation guidelines from the AMD-Vi specification (48882\u2014Rev\n3.07-PUB\u2014Oct 2022) is incorrect on some hardware, as devices will malfunction\n(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU\nTLB is not flushed.\n\nSuch stale DMA mappings can point to memory ranges not owned by the guest, thus\nallowing access to unindented memory regions.\n"}, {"lang": "es", "value": "Las pautas de invalidaci\u00f3n de almacenamiento en cach\u00e9 de la especificaci\u00f3n AMD-Vi (48882\u2014Rev 3.07-PUB\u2014octubre de 2022) son incorrectas en algunos hardware, ya que los dispositivos funcionar\u00e1n mal (consulte las asignaciones de DMA obsoletas) si algunos campos del DTE se actualizan pero el IOMMU TLB no est\u00e1 eliminado. Estas asignaciones de DMA obsoletas pueden apuntar a rangos de memoria que no pertenecen al hu\u00e9sped, lo que permite el acceso a regiones de memoria sin sangr\u00eda."}], "id": "CVE-2023-34326", "lastModified": "2025-11-04T20:16:31.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-05T17:15:08.637", "references": [{"source": "security@xen.org", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-442.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://xenbits.xen.org/xsa/advisory-442.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-442.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-672"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}