CVE-2023-46835 - Vulnerability Details - OpenCVE

The current setup of the quarantine page tables assumes that the
quarantine domain (dom_io) has been initialized with an address width
of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.

However dom_io being a PV domain gets the AMD-Vi IOMMU page tables
levels based on the maximum (hot pluggable) RAM address, and hence on
systems with no RAM above the 512GB mark only 3 page-table levels are
configured in the IOMMU.

On systems without RAM above the 512GB boundary
amd_iommu_quarantine_init() will setup page tables for the scratch
page with 4 levels, while the IOMMU will be configured to use 3 levels
only, resulting in the last page table directory (PDE) effectively
becoming a page table entry (PTE), and hence a device in quarantine
mode gaining write access to the page destined to be a PDE.

Due to this page table level mismatch, the sink page the device gets
read/write access to is no longer cleared between device assignment,
possibly leading to data leaks.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00075.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Xen	Xen

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
https://xenbits.xenproject.org/xsa/advisory-445.html

History

Tue, 17 Jun 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: XEN

Published: 2024-01-05T16:34:49.531Z

Updated: 2025-06-17T16:11:08.422Z

Reserved: 2023-10-27T07:55:35.331Z

Link: CVE-2023-46835

Vulnrichment

Updated: 2024-08-02T20:53:21.879Z

NVD

Status : Modified

Published: 2024-01-05T17:15:11.147

Modified: 2025-06-17T16:15:23.800

Link: CVE-2023-46835

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46835", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-10-27T07:55:35.331Z", "datePublished": "2024-01-05T16:34:49.531Z", "dateUpdated": "2025-06-17T16:11:08.422Z"}, "containers": {"cna": {"title": "x86/AMD: mismatch in IOMMU quarantine page table levels", "datePublic": "2023-11-14T12:00:00.000Z", "descriptions": [{"lang": "en", "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A device in quarantine mode can access data from previous quarantine\npage table usages, possibly leaking data used by previous domains that\nalso had the device assigned.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-445"}]}], "configurations": [{"lang": "en", "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"}], "workarounds": [{"lang": "en", "value": "Not passing through physical devices to guests will avoid the\nvulnerability.\n\nNot using quarantine scratch-page mode will avoid the vulnerability,\nbut could result in other issues.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:34:49.531Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.879Z"}, "title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-04-12T04:00:28.791183Z", "id": "CVE-2023-46835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T16:11:08.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.879Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-46835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T04:00:28.791183Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T19:39:54.875Z"}}], "cna": {"title": "x86/AMD: mismatch in IOMMU quarantine page table levels", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A device in quarantine mode can access data from previous quarantine\npage table usages, possibly leaking data used by previous domains that\nalso had the device assigned.\n"}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-445"}], "defaultStatus": "unknown"}], "datePublic": "2023-11-14T12:00:00.000Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}], "workarounds": [{"lang": "en", "value": "Not passing through physical devices to guests will avoid the\nvulnerability.\n\nNot using quarantine scratch-page mode will avoid the vulnerability,\nbut could result in other issues.\n"}], "descriptions": [{"lang": "en", "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"}], "configurations": [{"lang": "en", "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:34:49.531Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46835", "state": "PUBLISHED", "dateUpdated": "2025-06-17T16:11:08.422Z", "dateReserved": "2023-10-27T07:55:35.331Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2024-01-05T16:34:49.531Z", "assignerShortName": "XEN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2B9CCC2-BAC5-4A65-B8D4-4B71EBBA0C2F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The current setup of the quarantine page tables assumes that the\nquarantine domain (dom_io) has been initialized with an address width\nof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.\n\nHowever dom_io being a PV domain gets the AMD-Vi IOMMU page tables\nlevels based on the maximum (hot pluggable) RAM address, and hence on\nsystems with no RAM above the 512GB mark only 3 page-table levels are\nconfigured in the IOMMU.\n\nOn systems without RAM above the 512GB boundary\namd_iommu_quarantine_init() will setup page tables for the scratch\npage with 4 levels, while the IOMMU will be configured to use 3 levels\nonly, resulting in the last page table directory (PDE) effectively\nbecoming a page table entry (PTE), and hence a device in quarantine\nmode gaining write access to the page destined to be a PDE.\n\nDue to this page table level mismatch, the sink page the device gets\nread/write access to is no longer cleared between device assignment,\npossibly leading to data leaks.\n"}, {"lang": "es", "value": "La configuraci\u00f3n actual de las tablas de p\u00e1ginas de cuarentena supone que el dominio de cuarentena (dom_io) se ha inicializado con un ancho de direcci\u00f3n de DEFAULT_DOMAIN_ADDRESS_WIDTH (48) y, por lo tanto, 4 niveles de tabla de p\u00e1ginas. Sin embargo, al ser dom_io un dominio PV, los niveles de tablas de p\u00e1ginas IOMMU AMD-Vi se basan en la direcci\u00f3n RAM m\u00e1xima (conectable en caliente) y, por lo tanto, en sistemas sin RAM por encima de la marca de 512 GB, solo se configuran 3 niveles de tablas de p\u00e1ginas en IOMMU. En sistemas sin RAM por encima del l\u00edmite de 512 GB, amd_iommu_quarantine_init() configurar\u00e1 tablas de p\u00e1ginas para la p\u00e1gina temporal con 4 niveles, mientras que IOMMU se configurar\u00e1 para usar solo 3 niveles, lo que dar\u00e1 como resultado que el \u00faltimo directorio de la tabla de p\u00e1ginas (PDE) se convierta efectivamente en una entrada de la tabla de p\u00e1ginas (PTE) y, por lo tanto, un dispositivo en modo de cuarentena obtiene acceso de escritura a la p\u00e1gina destinada a ser una PDE. Debido a esta discrepancia en el nivel de la tabla de p\u00e1ginas, la p\u00e1gina receptora a la que el dispositivo tiene acceso de lectura/escritura ya no se borra entre las asignaciones de dispositivos, lo que posiblemente provoque fugas de datos."}], "id": "CVE-2023-46835", "lastModified": "2025-06-17T16:15:23.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-05T17:15:11.147", "references": [{"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-445.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}