CVE-2023-34322 (GCVE-0-2023-34322)
Vulnerability from cvelistv5
Published
2024-01-05 16:18
Modified
2025-11-04 19:16
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough.
References
Impacted products
Vendor Product Version
Xen Xen Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T19:16:35.511Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-438.html"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-438.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-34322",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-27T15:50:09.329667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-273",
                "description": "CWE-273 Improper Check for Dropped Privileges",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T18:28:59.286Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-438"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "All Xen versions from at least 3.2 onwards are vulnerable.  Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable.  Only 64-bit PV guests can leverage the\nvulnerability, and only when running in shadow mode.  Shadow mode would\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF).\n"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.\n"
        }
      ],
      "datePublic": "2023-09-19T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "For migration as well as to work around kernels unaware of L1TF (see\nXSA-273), PV guests may be run in shadow paging mode.  Since Xen itself\nneeds to be mapped when PV guests run, Xen and shadowed PV guests run\ndirectly the respective shadow page tables.  For 64-bit PV guests this\nmeans running on the shadow of the guest root page table.\n\nIn the course of dealing with shortage of memory in the shadow pool\nassociated with a domain, shadows of page tables may be torn down.  This\ntearing down may include the shadow root page table that the CPU in\nquestion is presently running on.  While a precaution exists to\nsupposedly prevent the tearing down of the underlying live page table,\nthe time window covered by that precaution isn\u0027t large enough.\n"
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks all cannot be ruled out.\n"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-05T16:18:01.363Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-438.html"
        }
      ],
      "title": "top-level shadow reference dropped too early for 64-bit PV guests",
      "workarounds": [
        {
          "lang": "en",
          "value": "Running only HVM or PVH guests will avoid the vulnerability.\n\nRunning PV guests in the PV shim will also avoid the vulnerability.\n"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2023-34322",
    "datePublished": "2024-01-05T16:18:01.363Z",
    "dateReserved": "2023-06-01T10:44:17.065Z",
    "dateUpdated": "2025-11-04T19:16:35.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-438.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:10:06.455Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34322\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-27T15:50:09.329667Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-273\", \"description\": \"CWE-273 Improper Check for Dropped Privileges\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-27T15:51:03.882Z\"}}], \"cna\": {\"title\": \"top-level shadow reference dropped too early for 64-bit PV guests\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.\\n\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Privilege escalation, Denial of Service (DoS) affecting the entire host,\\nand information leaks all cannot be ruled out.\\n\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-438\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-09-19T12:00:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-438.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Running only HVM or PVH guests will avoid the vulnerability.\\n\\nRunning PV guests in the PV shim will also avoid the vulnerability.\\n\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"For migration as well as to work around kernels unaware of L1TF (see\\nXSA-273), PV guests may be run in shadow paging mode.  Since Xen itself\\nneeds to be mapped when PV guests run, Xen and shadowed PV guests run\\ndirectly the respective shadow page tables.  For 64-bit PV guests this\\nmeans running on the shadow of the guest root page table.\\n\\nIn the course of dealing with shortage of memory in the shadow pool\\nassociated with a domain, shadows of page tables may be torn down.  This\\ntearing down may include the shadow root page table that the CPU in\\nquestion is presently running on.  While a precaution exists to\\nsupposedly prevent the tearing down of the underlying live page table,\\nthe time window covered by that precaution isn\u0027t large enough.\\n\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"All Xen versions from at least 3.2 onwards are vulnerable.  Earlier\\nversions have not been inspected.\\n\\nOnly x86 systems are vulnerable.  Only 64-bit PV guests can leverage the\\nvulnerability, and only when running in shadow mode.  Shadow mode would\\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF).\\n\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2024-01-05T16:18:01.363Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34322\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-16T18:28:59.286Z\", \"dateReserved\": \"2023-06-01T10:44:17.065Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2024-01-05T16:18:01.363Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.