CVE-2021-28701 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-28701 PUBLISHED

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

EPSS 0.06% · 18.6th percentile

Risk Scores

EPSS Score

0.06%

18.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:24.04:LTS	xen	0, 4.17.2-1, 4.17.2+55-g0b56bed864-1
Ubuntu:18.04:LTS	xen	0, 4.9.0-0ubuntu4, 4.9.2-0ubuntu1
Ubuntu:20.04:LTS	xen	4.11.3+24-g14b62ab3e5-1ubuntu1, 4.9.2-0ubuntu7, 4.9.2-0ubuntu6
Ubuntu:25.10	xen	*, 4.20.0-1ubuntu1, 0
Ubuntu:16.04:LTS	xen	4.6.0-1ubuntu4.2, 4.6.5-0ubuntu1.2, 4.6.5-0ubuntu1.1
Ubuntu:22.04:LTS	xen	4.16.0-1~ubuntu2.1, 0, 4.11.4+24-gddaaccbbab-1ubuntu2

Timeline

Sep 8, 2021 CVE Published
Sep 9, 2021 EPSS Score
Sep 18, 2021 EPSS Score
Sep 25, 2021 EPSS Score
Oct 9, 2021 EPSS Score
Nov 5, 2021 EPSS Score
Jan 1, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 27, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 25, 2022 EPSS Score
Aug 19, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2021-28701 third-party-advisory
https://xenbits.xen.org/xsa/advisory-384.html third-party-advisory
https://xenbits.xenproject.org/xsa/advisory-384.txt third-party-advisory
http://xenbits.xen.org/xsa/advisory-384.html third-party-advisory
http://www.openwall.com/lists/oss-security/2021/09/08/2 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-28701 third-party-advisory

Open in Interactive Console →