CVE-2024-31146

25.09.2024, 11:15

When multiple devices share resources and one of them is to be passed
through to a guest, security of the entire system and of respective
guests individually cannot really be guaranteed without knowing
internals of any of the involved guests.  Therefore such a configuration
cannot really be security-supported, yet making that explicit was so far
missing.

Resources the sharing of which is known to be problematic include, but
are not limited to
- - PCI Base Address Registers (BARs) of multiple devices mapping to the
  same page (4k on x86),
- - INTx lines.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
XEN	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	7.5 HIGH	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Debian Releases

Debian Product

Codename

xen

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	4.17.5+23-ga4e5191dc0-1+deb12u1 fixed
bookworm (security)	4.17.5+23-ga4e5191dc0-1 fixed
sid	4.20.0+68-g35cb38b222-1 fixed
trixie	4.20.0+68-g35cb38b222-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xen

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://xenbits.xenproject.org/xsa/advisory-461.html

http://www.openwall.com/lists/oss-security/2024/08/14/3

http://xenbits.xen.org/xsa/advisory-461.html