CVE-2023-34326 (GCVE-0-2023-34326)
Vulnerability from cvelistv5
Published
2024-01-05 16:30
Modified
2025-11-04 19:16
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions.
References
Impacted products
Vendor Product Version
Xen Xen Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T19:16:39.858Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-442.html"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-442.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-34326",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-14T20:27:29.871651Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-672",
                "description": "CWE-672 Operation on a Resource after Expiration or Release",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T15:48:27.234Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-442"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "All Xen versions supporting PCI passthrough are affected.\n\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\n\nOnly x86 guests which have physical devices passed through to them can\nleverage the vulnerability.\n"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer.\n"
        }
      ],
      "datePublic": "2023-10-10T11:26:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The caching invalidation guidelines from the AMD-Vi specification (48882\u2014Rev\n3.07-PUB\u2014Oct 2022) is incorrect on some hardware, as devices will malfunction\n(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU\nTLB is not flushed.\n\nSuch stale DMA mappings can point to memory ranges not owned by the guest, thus\nallowing access to unindented memory regions.\n"
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks.\n"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-05T16:30:57.225Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-442.html"
        }
      ],
      "title": "x86/AMD: missing IOMMU TLB flushing",
      "workarounds": [
        {
          "lang": "en",
          "value": "Not passing through physical devices to guests will avoid the vulnerability.\n"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2023-34326",
    "datePublished": "2024-01-05T16:30:57.225Z",
    "dateReserved": "2023-06-01T10:44:17.065Z",
    "dateUpdated": "2025-11-04T19:16:39.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-442.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:10:06.955Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34326\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-14T20:27:29.871651Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-672\", \"description\": \"CWE-672 Operation on a Resource after Expiration or Release\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-18T15:47:52.296Z\"}}], \"cna\": {\"title\": \"x86/AMD: missing IOMMU TLB flushing\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Roger Pau Monn\\u00e9 of XenServer.\\n\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Privilege escalation, Denial of Service (DoS) affecting the entire host,\\nand information leaks.\\n\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-442\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-10-10T11:26:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-442.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Not passing through physical devices to guests will avoid the vulnerability.\\n\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The caching invalidation guidelines from the AMD-Vi specification (48882\\u2014Rev\\n3.07-PUB\\u2014Oct 2022) is incorrect on some hardware, as devices will malfunction\\n(see stale DMA mappings) if some fields of the DTE are updated but the IOMMU\\nTLB is not flushed.\\n\\nSuch stale DMA mappings can point to memory ranges not owned by the guest, thus\\nallowing access to unindented memory regions.\\n\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"All Xen versions supporting PCI passthrough are affected.\\n\\nOnly x86 AMD systems with IOMMU hardware are vulnerable.\\n\\nOnly x86 guests which have physical devices passed through to them can\\nleverage the vulnerability.\\n\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2024-01-05T16:30:57.225Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34326\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-18T15:48:27.234Z\", \"dateReserved\": \"2023-06-01T10:44:17.065Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2024-01-05T16:30:57.225Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.