{"api_version":"1","generated_at":"2026-04-23T04:33:48+00:00","cve":"CVE-2021-28701","urls":{"html":"https://cve.report/CVE-2021-28701","api":"https://cve.report/api/cve/CVE-2021-28701.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28701","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28701"},"summary":{"title":"CVE-2021-28701","description":"Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.","state":"PUBLIC","assigner":"security@xen.org","published_at":"2021-09-08 14:15:00","updated_at":"2023-11-07 03:32:00"},"problem_types":["CWE-362"],"metrics":[],"references":[{"url":"http://xenbits.xen.org/xsa/advisory-384.html","name":"http://xenbits.xen.org/xsa/advisory-384.html","refsource":"CONFIRM","tags":[],"title":"XSA-384 - Xen Security Advisories","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://xenbits.xenproject.org/xsa/advisory-384.txt","name":"https://xenbits.xenproject.org/xsa/advisory-384.txt","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU/","name":"FEDORA-2021-11577e5229","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: xen-4.14.2-4.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C/","name":"FEDORA-2021-fed53cbc7d","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: xen-4.14.2-4.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202208-23","name":"GLSA-202208-23","refsource":"GENTOO","tags":[],"title":"Xen: Multiple Vulnerabilities (GLSA 202208-23) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z/","name":"FEDORA-2021-5a0c7bc619","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: xen-4.15.0-7.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2021/dsa-4977","name":"DSA-4977","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4977-1 xen","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/09/08/2","name":"[oss-security] 20210908 Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in XENMAPSPACE_grant_table handling","refsource":"MLIST","tags":[],"title":"oss-security - Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in\n XENMAPSPACE_grant_table handling","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z/","name":"FEDORA-2021-5a0c7bc619","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: xen-4.15.0-7.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU/","name":"FEDORA-2021-11577e5229","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: xen-4.14.2-4.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C/","name":"FEDORA-2021-fed53cbc7d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: xen-4.14.2-4.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28701","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28701","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Array","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"28701","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28701","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28701","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28701","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28701","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"xen","cpe5":"xen","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28701","qid":"178798","title":"Debian Security Update for xen (DSA 4977-1)"},{"cve":"CVE-2021-28701","qid":"184978","title":"Debian Security Update for xen (CVE-2021-28701)"},{"cve":"CVE-2021-28701","qid":"281909","title":"Fedora Security Update for xen (FEDORA-2021-11577e5229)"},{"cve":"CVE-2021-28701","qid":"281917","title":"Fedora Security Update for xen (FEDORA-2021-fed53cbc7d)"},{"cve":"CVE-2021-28701","qid":"379051","title":"Citrix XenServer Security Updates (CTX325319)"},{"cve":"CVE-2021-28701","qid":"390249","title":"Oracle Managed Virtualization (VM) Server for x86 Security Update for xen (OVMSA-2021-0033)"},{"cve":"CVE-2021-28701","qid":"500802","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28701","qid":"501520","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28701","qid":"501798","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28701","qid":"504545","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2021-28701","qid":"710600","title":"Gentoo Linux Xen Multiple Vulnerabilities (GLSA 202208-23)"},{"cve":"CVE-2021-28701","qid":"751151","title":"OpenSUSE Security Update for xen (openSUSE-SU-2021:3140-1)"},{"cve":"CVE-2021-28701","qid":"751154","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:3181-1)"},{"cve":"CVE-2021-28701","qid":"751158","title":"OpenSUSE Security Update for xen (openSUSE-SU-2021:1301-1)"},{"cve":"CVE-2021-28701","qid":"751165","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:3213-1)"},{"cve":"CVE-2021-28701","qid":"751417","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:3842-1)"},{"cve":"CVE-2021-28701","qid":"751422","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:3849-1)"},{"cve":"CVE-2021-28701","qid":"751477","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2021:3977-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@xen.org","ID":"CVE-2021-28701","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"xen","version":{"version_data":[{"version_affected":"?<","version_value":"4.12"},{"version_affected":">=","version_value":"4.15.x"},{"version_affected":"!>","version_value":"xen-unstable"}]}},{"product_name":"xen","version":{"version_data":[{"version_value":"4.11.x"}]}},{"product_name":"xen","version":{"version_data":[{"version_affected":"?<","version_value":"4.12"},{"version_affected":">=","version_value":"4.12.x"},{"version_affected":"!>","version_value":"4.14.x"}]}}]},"vendor_name":"Xen"}]}},"configuration":{"configuration_data":{"description":{"description_data":[{"lang":"eng","value":"All Xen versions from 4.0 onwards are affected.  Xen versions 3.4 and\nolder are not affected.\n\nOnly x86 HVM and PVH guests permitted to use grant table version 2\ninterfaces can leverage this vulnerability.  x86 PV guests cannot\nleverage this vulnerability.  On Arm, grant table v2 use is explicitly\nunsupported."}]}}},"credit":{"credit_data":{"description":{"description_data":[{"lang":"eng","value":"This issue was discovered by Julien Grall of Amazon."}]}}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed."}]},"impact":{"impact_data":{"description":{"description_data":[{"lang":"eng","value":"A malicious guest may be able to elevate its privileges to that of the\nhost, cause host or guest Denial of Service (DoS), or cause information\nleaks."}]}}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"unknown"}]}]},"references":{"reference_data":[{"url":"https://xenbits.xenproject.org/xsa/advisory-384.txt","refsource":"MISC","name":"https://xenbits.xenproject.org/xsa/advisory-384.txt"},{"refsource":"CONFIRM","name":"http://xenbits.xen.org/xsa/advisory-384.html","url":"http://xenbits.xen.org/xsa/advisory-384.html"},{"refsource":"MLIST","name":"[oss-security] 20210908 Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in XENMAPSPACE_grant_table handling","url":"http://www.openwall.com/lists/oss-security/2021/09/08/2"},{"refsource":"FEDORA","name":"FEDORA-2021-11577e5229","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU/"},{"refsource":"FEDORA","name":"FEDORA-2021-fed53cbc7d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C/"},{"refsource":"DEBIAN","name":"DSA-4977","url":"https://www.debian.org/security/2021/dsa-4977"},{"refsource":"FEDORA","name":"FEDORA-2021-5a0c7bc619","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z/"},{"refsource":"GENTOO","name":"GLSA-202208-23","url":"https://security.gentoo.org/glsa/202208-23"}]},"workaround":{"workaround_data":{"description":{"description_data":[{"lang":"eng","value":"Running only PV guests will avoid this vulnerability.\n\nSuppressing use of grant table v2 interfaces for HVM or PVH guests will\nalso avoid this vulnerability."}]}}}},"nvd":{"publishedDate":"2021-09-08 14:15:00","lastModifiedDate":"2023-11-07 03:32:00","problem_types":["CWE-362"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.1,"impactScore":6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.4},"severity":"MEDIUM","exploitabilityScore":3.4,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28701","Ordinal":"203877","Title":"CVE-2021-28701","CVE":"CVE-2021-28701","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28701","Ordinal":"1","NoteData":"Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28701","Ordinal":"2","NoteData":"2021-09-08","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28701","Ordinal":"3","NoteData":"2021-09-24","Type":"Other","Title":"Modified"}]}}}