← back
CVE-2022-26364

CVE-2022-26364

EPSS 0.5%
In short

Xen hypervisor doesn't properly account for CPU cache inconsistencies when checking if memory pages are safe. This allows attackers to bypass safety checks that prevent direct access to critical system structures, potentially enabling privilege escalation in virtualized environments.

Technical detail

A type reference counting mechanism in Xen's PV (paravirtual) x86 implementation fails to consider CPU-induced cache non-coherency when validating page contents. An attacker with guest-level access can exploit timing windows where cached data differs from main memory to bypass Xen's safety invariants, gaining unauthorized write access to pagetables or other protected kernel structures.

Summary generated and translated by AI from the official description.
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
Affected products
Xen · xen

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/167710/Xen-PV-Guest-Non-SELFSNOOP-CPU-Memory-Corruption.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/https://security.gentoo.org/glsa/202208-23https://www.debian.org/security/2022/dsa-5184https://xenbits.xenproject.org/xsa/advisory-402.txthttp://www.openwall.com/lists/oss-security/2022/06/09/4http://xenbits.xen.org/xsa/advisory-402.html