CVE-2022-42309
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 01 Nov 2022, 00:00
Last modified:03 Aug 2024, 13:03
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
8.8 HIGH
v3.1 (nvd)
EPSS Score
0.06% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
01 Nov 2022, 00:00
Published
Vulnerability first disclosed
03 Aug 2024, 13:03
Last Modified
Vulnerability information updated
Description
Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.
CVSS Metrics
- v3.1•HIGH•Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.06%• Percentile: 20%
Techniques & Countermeasures
- CWE-763•Release of Invalid Pointer or Reference
The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
Affected Systems
- debian•debian_linux
11.0
- fedoraproject•fedora
35 | 36 | 37
- xen•xen
na
References (8)
- https://xenbits.xenproject.org/xsa/advisory-414.txt
- http://xenbits.xen.org/xsa/advisory-414.html
- http://www.openwall.com/lists/oss-security/2022/11/01/4
- https://www.debian.org/security/2022/dsa-5272
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
- https://security.gentoo.org/glsa/202402-07