CVE-2023-46842

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes.  This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers.  For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.
Type Confusion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
XENCNA
---
---
CISA-ADPADP
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
Debian logo
Debian Releases
Debian Product
Codename
xen
bullseye
vulnerable
buster
not-affected
bullseye (security)
vulnerable
bookworm
vulnerable
bookworm (security)
4.17.5+23-ga4e5191dc0-1
fixed
trixie
vulnerable
sid
4.19.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xen
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://xenbits.xenproject.org/xsa/advisory-454.html
http://xenbits.xen.org/xsa/advisory-454.html
https://xenbits.xenproject.org/xsa/advisory-454.html