CVE-2023-46841 (GCVE-0-2023-46841)
Vulnerability from cvelistv5
Published
2024-03-20 10:40
Modified
2025-11-04 18:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Summary
Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing.
References
Impacted products
Vendor Product Version
Xen Xen Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-46841",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-25T16:09:38.636466Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T18:53:05.398Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T18:18:57.552Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-451.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-451.html"
          },
          {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HES2IJXZY3H7HBPP4NVSVYYNGW254DMI/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-451"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen 4.14 and onwards are vulnerable.  Xen 4.13 and older are not\nvulnerable.\n\nOnly x86 systems with CET-SS enabled are vulnerable.  x86 systems with\nCET-SS unavailable or disabled are not vulnerable.  Arm systems are not\nvulnerable.  See\nhttps://xenbits.xen.org/docs/latest/faq.html#tell-if-cet-is-active\nfor how to determine whether CET-SS is active.\n\nOnly HVM or PVH guests can leverage the vulnerability.  PV guests cannot\nleverage the vulnerability."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Jan Beulich of SUSE."
        }
      ],
      "datePublic": "2024-02-27T10:38:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Recent x86 CPUs offer functionality named Control-flow Enforcement\nTechnology (CET).  A sub-feature of this are Shadow Stacks (CET-SS).\nCET-SS is a hardware feature designed to protect against Return Oriented\nProgramming attacks. When enabled, traditional stacks holding both data\nand return addresses are accompanied by so called \"shadow stacks\",\nholding little more than return addresses.  Shadow stacks aren\u0027t\nwritable by normal instructions, and upon function returns their\ncontents are used to check for possible manipulation of a return address\ncoming from the traditional stack.\n\nIn particular certain memory accesses need intercepting by Xen.  In\nvarious cases the necessary emulation involves kind of replaying of\nthe instruction.  Such replaying typically involves filling and then\ninvoking of a stub.  Such a replayed instruction may raise an\nexceptions, which is expected and dealt with accordingly.\n\nUnfortunately the interaction of both of the above wasn\u0027t right:\nRecovery involves removal of a call frame from the (traditional) stack.\nThe counterpart of this operation for the shadow stack was missing."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-23T03:06:14.246Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-451.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"
        }
      ],
      "title": "x86: shadow stack vs exceptions from emulation stubs",
      "workarounds": [
        {
          "lang": "en",
          "value": "While in principle it is possible to disable use of CET on capable\nsystems using the \"cet=no-shstk\" command line option, doing so disables\nan important security feature and may therefore not be advisable."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2023-46841",
    "datePublished": "2024-03-20T10:40:36.597Z",
    "dateReserved": "2023-10-27T07:55:35.333Z",
    "dateUpdated": "2025-11-04T18:18:57.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-451.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://xenbits.xen.org/xsa/advisory-451.html\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HES2IJXZY3H7HBPP4NVSVYYNGW254DMI/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T18:18:57.552Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-46841\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-25T16:09:38.636466Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:19.387Z\"}}], \"cna\": {\"title\": \"x86: shadow stack vs exceptions from emulation stubs\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Jan Beulich of SUSE.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"An unprivileged guest can cause a hypervisor crash, causing a Denial of\\nService (DoS) of the entire host.\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-451\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2024-02-27T10:38:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-451.html\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"While in principle it is possible to disable use of CET on capable\\nsystems using the \\\"cet=no-shstk\\\" command line option, doing so disables\\nan important security feature and may therefore not be advisable.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Recent x86 CPUs offer functionality named Control-flow Enforcement\\nTechnology (CET).  A sub-feature of this are Shadow Stacks (CET-SS).\\nCET-SS is a hardware feature designed to protect against Return Oriented\\nProgramming attacks. When enabled, traditional stacks holding both data\\nand return addresses are accompanied by so called \\\"shadow stacks\\\",\\nholding little more than return addresses.  Shadow stacks aren\u0027t\\nwritable by normal instructions, and upon function returns their\\ncontents are used to check for possible manipulation of a return address\\ncoming from the traditional stack.\\n\\nIn particular certain memory accesses need intercepting by Xen.  In\\nvarious cases the necessary emulation involves kind of replaying of\\nthe instruction.  Such replaying typically involves filling and then\\ninvoking of a stub.  Such a replayed instruction may raise an\\nexceptions, which is expected and dealt with accordingly.\\n\\nUnfortunately the interaction of both of the above wasn\u0027t right:\\nRecovery involves removal of a call frame from the (traditional) stack.\\nThe counterpart of this operation for the shadow stack was missing.\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"Xen 4.14 and onwards are vulnerable.  Xen 4.13 and older are not\\nvulnerable.\\n\\nOnly x86 systems with CET-SS enabled are vulnerable.  x86 systems with\\nCET-SS unavailable or disabled are not vulnerable.  Arm systems are not\\nvulnerable.  See\\nhttps://xenbits.xen.org/docs/latest/faq.html#tell-if-cet-is-active\\nfor how to determine whether CET-SS is active.\\n\\nOnly HVM or PVH guests can leverage the vulnerability.  PV guests cannot\\nleverage the vulnerability.\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2024-03-23T03:06:14.246Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-46841\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T18:18:57.552Z\", \"dateReserved\": \"2023-10-27T07:55:35.333Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2024-03-20T10:40:36.597Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.