CVE-2021-28700 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-28700 PUBLISHED

xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured.

EPSS 2.13% · 84.0th percentile

Risk Scores

EPSS Score

2.13%

84.0th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:25.10	xen	4.20.0+68-g35cb38b222-1, 4.20.0-1ubuntu1, 0
Ubuntu:24.04:LTS	xen	4.17.2+76-ge1f9cb16e2-1, 4.17.2+76-ge1f9cb16e2-1ubuntu1, 4.17.3+10-g091466ba55-1
Ubuntu:20.04:LTS	xen	4.9.2-0ubuntu6, 4.9.2-0ubuntu7, 4.11.3+24-g14b62ab3e5-1ubuntu1
Ubuntu:22.04:LTS	xen	4.16.0-1~ubuntu2, 4.16.0-1~ubuntu2.1, 0
Ubuntu:18.04:LTS	xen	4.9.0-0ubuntu4, 4.9.2-0ubuntu1, 0
Ubuntu:16.04:LTS	xen	0, 4.6.0-1ubuntu2, 4.6.0-1ubuntu4

Timeline

Aug 26, 2021 CVE Published
Aug 27, 2021 PoC Published
Aug 28, 2021 EPSS Score
Sep 8, 2021 EPSS Score
Sep 25, 2021 EPSS Score
Oct 10, 2021 EPSS Score
Oct 25, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 17, 2022 EPSS Score
Apr 15, 2022 EPSS Score
Jun 12, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2021-28700 third-party-advisory
https://xenbits.xen.org/xsa/advisory-383.html third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-28700 third-party-advisory

Open in Interactive Console →