ESB-2026.3153
PUBLISHED
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2026.3153
Xen domain builder Out-of-memory due to malicious kernel/ramdisk
1 April 2026
===========================================================================
AUSCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen Project
Operating System: Xen
Resolution: Patch/Upgrade
CVE Names: CVE-2012-4544 CVE-2012-2625
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-25.html
Comment: CVSS (Max): None available when published
EPSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Xen Security Advisory CVE-2012-4544,CVE-2012-2625 / XSA-25
version 2
Xen domain builder Out-of-memory due to malicious kernel/ramdisk
UPDATES IN VERSION 2
====================
Clarify that XSA-25 is reporting, via the Xen.org security process,
both CVE-2012-4544 and CVE-2012-2625.
Also we would like to apologise for the fact that xen-announce's copy
of version 1 of this advisory was delayed in mailing list moderation.
ISSUE DESCRIPTION
=================
The Xen PV domain builder contained no validation of the size of the
supplied kernel or ramdisk either before or after decompression. This
could cause the toolstack to consume all available RAM in the domain
running the domain builder. (CVE-2012-4544)
Additionally, under similar circumstances pygrub consume excessive
amount of memory under similar circumstances to the above.
(CVE-2012-2625)
IMPACT
======
A malicious guest administrator who can supply a kernel or ramdisk can
exhaust memory in domain 0 leading to a denial of service attack.
VULNERABLE SYSTEMS
==================
All versions of Xen are vulnerable.
MITIGATION
==========
Running only trusted kernels and ramdisks will avoid these
vulnerabilities.
Using pvgrub also avoids these vulnerabilities since the builder will
run in guest context. (nb: use of pygrub *is* vulnerable).
Running only HVM guests will avoid these vulnerabilities.
RESOLUTION
==========
Applying the appropriate attached patch resolves these issues.
The pygrub problem (CVE-2012-2625) was fixed in xen-unstable (and the
fix inherited by Xen 4.2.x) in revision 25589:60f09d1ab1fe but not
called out as a security problem. This fix is also included, where
necessary, in the patches below.
xsa25-unstable.patch Xen unstable
xsa25-4.2.patch Xen 4.2.x
xsa25-4.1.patch Xen 4.1.x
$ sha256sum xsa25*.patch
613e4b82cdc9cabf9cbd52076118887b298c47e680c2066a28a77f12e9f90606 xsa25-4.1.patch
135bc089d003f9b97991764c37b1ab8d37e9cbcfa1b9bd7429b4503abe00c8f5 xsa25-4.2.patch
534495b7eef6e599f5814f0a67fc84fbe2e8eee9d223a09ad178ff63bdcda3dd xsa25-unstable.patch
Note that these patches impose a new size limit of 1Gby on both the
compressed and uncompressed sizes of ramdisks. On some systems it may
be desirable to relax these limits and risk virtual address or memory
exhaustion in the toolstack. This can be achieved by setting
XC_DOM_DECOMPRESS_MAX to the desired limit (in bytes). This can be
done by building with "APPEND_CFLAGS=-DXC_DOM_DECOMPRESS_MAX=<limit>"
or by editing tools/libxc/xc_dom.h directly.
NOTE REGARDING LACK OF EMBARGO
==============================
These issues have already been discussed in public in various places,
including https://bugzilla.redhat.com/show_bug.cgiid=CVE-2012-2625
and http://bugs.debian.org/688125. This advisory is therefore not
subject to an embargo.
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AUSCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AUSCERT's members. As
AUSCERT did not write the document quoted above, AUSCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AUSCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://portal.auscert.org.au/bulletins/
===========================================================================
AUSCERT
The University of Queensland, Brisbane QLD 4072 Australia
e: auscert@auscert.org.au
t: +61 (0)7 3365 4417
Allies in Cyber Security
===========================================================================
