{"api_version":"1","generated_at":"2026-04-22T23:52:35+00:00","cve":"CVE-2021-28695","urls":{"html":"https://cve.report/CVE-2021-28695","api":"https://cve.report/api/cve/CVE-2021-28695.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28695","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28695"},"summary":{"title":"CVE-2021-28695","description":"IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).","state":"PUBLIC","assigner":"security@xen.org","published_at":"2021-08-27 19:15:00","updated_at":"2023-11-07 03:32:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2021/09/01/6","name":"[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: Xen Security Advisory 378 v3\n (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on\n x86","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/","name":"FEDORA-2021-4f129cc0c1","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: xen-4.14.2-3.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://xenbits.xenproject.org/xsa/advisory-378.txt","name":"https://xenbits.xenproject.org/xsa/advisory-378.txt","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/","name":"FEDORA-2021-4f129cc0c1","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: xen-4.14.2-3.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/","name":"FEDORA-2021-081f9bf5d2","refsource":"FEDORA","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202208-23","name":"GLSA-202208-23","refsource":"GENTOO","tags":[],"title":"Xen: Multiple Vulnerabilities (GLSA 202208-23) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/09/01/5","name":"[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86","refsource":"MLIST","tags":[],"title":"oss-security - Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696)\n - IOMMU page mapping issues on x86","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2021/dsa-4977","name":"DSA-4977","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4977-1 xen","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/","name":"FEDORA-2021-d68ed12e46","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: xen-4.14.2-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/","name":"FEDORA-2021-d68ed12e46","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: xen-4.14.2-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2021/09/01/1","name":"[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86","refsource":"MLIST","tags":[],"title":"oss-security - Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696)\n - IOMMU page mapping issues on x86","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/","name":"FEDORA-2021-081f9bf5d2","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: xen-4.15.0-6.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28695","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28695","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Array","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"28695","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28695","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28695","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28695","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28695","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"xen","cpe5":"xen","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28695","qid":"178798","title":"Debian Security Update for xen (DSA 4977-1)"},{"cve":"CVE-2021-28695","qid":"182152","title":"Debian Security Update for xen (CVE-2021-28695)"},{"cve":"CVE-2021-28695","qid":"281879","title":"Fedora Security Update for xen (FEDORA-2021-4f129cc0c1)"},{"cve":"CVE-2021-28695","qid":"281880","title":"Fedora Security Update for xen (FEDORA-2021-d68ed12e46)"},{"cve":"CVE-2021-28695","qid":"390249","title":"Oracle Managed Virtualization (VM) Server for x86 Security Update for xen (OVMSA-2021-0033)"},{"cve":"CVE-2021-28695","qid":"500801","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28695","qid":"501519","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28695","qid":"501797","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28695","qid":"504544","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28695","qid":"710600","title":"Gentoo Linux Xen Multiple Vulnerabilities (GLSA 202208-23)"},{"cve":"CVE-2021-28695","qid":"751074","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:2925-1)"},{"cve":"CVE-2021-28695","qid":"751083","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:2924-1)"},{"cve":"CVE-2021-28695","qid":"751085","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:2943-1)"},{"cve":"CVE-2021-28695","qid":"751087","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:2955-1)"},{"cve":"CVE-2021-28695","qid":"751100","title":"OpenSUSE Security Update for xen (openSUSE-SU-2021:2923-1)"},{"cve":"CVE-2021-28695","qid":"751103","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:2957-1)"},{"cve":"CVE-2021-28695","qid":"751111","title":"OpenSUSE Security Update for xen (openSUSE-SU-2021:1236-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@xen.org","ID":"CVE-2021-28695","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"xen","version":{"version_data":[{"version_value":"4.11.x"}]}},{"product_name":"xen","version":{"version_data":[{"version_value":"xen-unstable"}]}},{"product_name":"xen","version":{"version_data":[{"version_value":"4.12.x"}]}},{"product_name":"xen","version":{"version_data":[{"version_value":"4.14.x"}]}},{"product_name":"xen","version":{"version_data":[{"version_value":"4.15.x"}]}},{"product_name":"xen","version":{"version_data":[{"version_value":"4.13.x"}]}}]},"vendor_name":"Xen"}]}},"configuration":{"configuration_data":{"description":{"description_data":[{"lang":"eng","value":"The vulnerability is only exploitable by guests granted access to\nphysical devices (ie, via PCI passthrough).\n\nAll versions of Xen are affected.\n\nOnly x86 systems with IOMMUs and with firmware specifying memory regions\nto be identity mapped are affected.  Other x86 systems are not affected.\n\nWhether a particular system whose ACPI tables declare such memory\nregion(s) is actually affected cannot be known without knowing when\nand/or how these regions are used.  For example, if these regions were\nused only during system boot, there would not be any vulnerability.\nThe necessary knowledge can only be obtained from, collectively, the\nhardware and firmware manufacturers.\n\nOn Arm hardware IOMMU use is not security supported.  Accordingly, we\nhave not undertaken an analysis of these issues for Arm systems."}]}}},"credit":{"credit_data":{"description":{"description_data":[{"lang":"eng","value":"This issue was discovered by Jan Beulich of SUSE."}]}}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696)."}]},"impact":{"impact_data":{"description":{"description_data":[{"lang":"eng","value":"The precise impact is system specific, but can - on affected systems -\nbe any or all of privilege escalation, denial of service, or information\nleaks."}]}}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"unknown"}]}]},"references":{"reference_data":[{"url":"https://xenbits.xenproject.org/xsa/advisory-378.txt","refsource":"MISC","name":"https://xenbits.xenproject.org/xsa/advisory-378.txt"},{"refsource":"MLIST","name":"[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86","url":"http://www.openwall.com/lists/oss-security/2021/09/01/1"},{"refsource":"MLIST","name":"[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86","url":"http://www.openwall.com/lists/oss-security/2021/09/01/5"},{"refsource":"MLIST","name":"[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86","url":"http://www.openwall.com/lists/oss-security/2021/09/01/6"},{"refsource":"FEDORA","name":"FEDORA-2021-4f129cc0c1","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"},{"refsource":"FEDORA","name":"FEDORA-2021-d68ed12e46","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"},{"refsource":"DEBIAN","name":"DSA-4977","url":"https://www.debian.org/security/2021/dsa-4977"},{"refsource":"FEDORA","name":"FEDORA-2021-081f9bf5d2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"},{"refsource":"GENTOO","name":"GLSA-202208-23","url":"https://security.gentoo.org/glsa/202208-23"}]},"workaround":{"workaround_data":{"description":{"description_data":[{"lang":"eng","value":"Not permitting untrusted guests access to phsyical devices will avoid\nthe vulnerability.\n\nLikewise, limiting untrusted guest access to physical devices whose\nfirmware-provided ACPI tables declare identity mappings, will avoid\nthe vulnerability.  (Provided that there are no identity mapped\nregions which are specified by the ACPI tables to apply globally.)\n\nNote that a system is still vulnerable if a guest was trusted, while\nit had such a device assigned, and then has the device removed in\nanticipation of the guest becoming untrusted (because of, for example,\nthe insertion of an untrusted kernel module),"}]}}}},"nvd":{"publishedDate":"2021-08-27 19:15:00","lastModifiedDate":"2023-11-07 03:32:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"PHYSICAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":0.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.6},"severity":"MEDIUM","exploitabilityScore":3.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28695","Ordinal":"203871","Title":"CVE-2021-28695","CVE":"CVE-2021-28695","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28695","Ordinal":"1","NoteData":"IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28695","Ordinal":"2","NoteData":"2021-08-27","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28695","Ordinal":"3","NoteData":"2021-09-24","Type":"Other","Title":"Modified"}]}}}