{"api_version":"1","generated_at":"2026-04-22T23:53:04+00:00","cve":"CVE-2022-23034","urls":{"html":"https://cve.report/CVE-2022-23034","api":"https://cve.report/api/cve/CVE-2022-23034.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23034","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23034"},"summary":{"title":"CVE-2022-23034","description":"A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.","state":"PUBLIC","assigner":"security@xen.org","published_at":"2022-01-25 14:15:00","updated_at":"2023-11-07 03:44:00"},"problem_types":["CWE-191"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2022/dsa-5117","name":"DSA-5117","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5117-1 xen","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202208-23","name":"GLSA-202208-23","refsource":"GENTOO","tags":[],"title":"Xen: Multiple Vulnerabilities (GLSA 202208-23) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/","name":"FEDORA-2022-0cc3916e08","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: xen-4.14.4-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/","name":"FEDORA-2022-0cc3916e08","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: xen-4.14.4-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://xenbits.xenproject.org/xsa/advisory-394.txt","name":"https://xenbits.xenproject.org/xsa/advisory-394.txt","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/01/25/3","name":"[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant","refsource":"MLIST","tags":[],"title":"oss-security - Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could\n DoS Xen while unmapping a grant","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23034","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23034","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Array","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"23034","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23034","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23034","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23034","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"xen","cpe5":"xen","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x86","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23034","qid":"179182","title":"Debian Security Update for xen (DSA 5117-1)"},{"cve":"CVE-2022-23034","qid":"182963","title":"Debian Security Update for xen (CVE-2022-23034)"},{"cve":"CVE-2022-23034","qid":"282332","title":"Fedora Security Update for xen (FEDORA-2022-420bf9fc1e)"},{"cve":"CVE-2022-23034","qid":"282411","title":"Fedora Security Update for xen (FEDORA-2022-0cc3916e08)"},{"cve":"CVE-2022-23034","qid":"377775","title":"Security Advisory for Citrix XenServer (CTX337526)"},{"cve":"CVE-2022-23034","qid":"500806","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2022-23034","qid":"501523","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2022-23034","qid":"501801","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2022-23034","qid":"502242","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2022-23034","qid":"504548","title":"Alpine Linux Security Update for xen"},{"cve":"CVE-2022-23034","qid":"710600","title":"Gentoo Linux Xen Multiple Vulnerabilities (GLSA 202208-23)"},{"cve":"CVE-2022-23034","qid":"751685","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0331-1)"},{"cve":"CVE-2022-23034","qid":"751686","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0332-1)"},{"cve":"CVE-2022-23034","qid":"751691","title":"OpenSUSE Security Update for xen (openSUSE-SU-2022:0333-1)"},{"cve":"CVE-2022-23034","qid":"751693","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0359-1)"},{"cve":"CVE-2022-23034","qid":"751713","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0468-1)"},{"cve":"CVE-2022-23034","qid":"751714","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0469-1)"},{"cve":"CVE-2022-23034","qid":"751717","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0467-1)"},{"cve":"CVE-2022-23034","qid":"752015","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:0333-1)"},{"cve":"CVE-2022-23034","qid":"753138","title":"SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:14886-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@xen.org","ID":"CVE-2022-23034","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"xen","version":{"version_data":[{"version_affected":"?","version_value":"consult Xen advisory XSA-394"}]}}]},"vendor_name":"Xen"}]}},"configuration":{"configuration_data":{"description":{"description_data":[{"lang":"eng","value":"All Xen versions from at least 3.2 onwards are vulnerable in principle,\nif they have the XSA-380 fixes applied.\n\nOnly x86 systems are vulnerable.  Arm systems are not vulnerable.\n\nOnly x86 PV guests with access to PCI devices can leverage the\nvulnerability.  x86 HVM and PVH guests, as well as PV guests without\naccess to PCI devices, cannot leverage the vulnerability.\n\nAdditionally from Xen 4.13 onwards x86 PV guests can leverage this\nvulnerability only when being granted access to pages owned by another\ndomain."}]}}},"credit":{"credit_data":{"description":{"description_data":[{"lang":"eng","value":"This issue was discovered by Julien Grall of Amazon."}]}}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check."}]},"impact":{"impact_data":{"description":{"description_data":[{"lang":"eng","value":"Malicious guest kernels may be able to mount a Denial of Service (DoS)\nattack affecting the entire system."}]}}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"unknown"}]}]},"references":{"reference_data":[{"url":"https://xenbits.xenproject.org/xsa/advisory-394.txt","refsource":"MISC","name":"https://xenbits.xenproject.org/xsa/advisory-394.txt"},{"refsource":"MLIST","name":"[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant","url":"http://www.openwall.com/lists/oss-security/2022/01/25/3"},{"refsource":"FEDORA","name":"FEDORA-2022-0cc3916e08","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/"},{"refsource":"DEBIAN","name":"DSA-5117","url":"https://www.debian.org/security/2022/dsa-5117"},{"refsource":"GENTOO","name":"GLSA-202208-23","url":"https://security.gentoo.org/glsa/202208-23"}]},"workaround":{"workaround_data":{"description":{"description_data":[{"lang":"eng","value":"Not running PV guests will avoid the vulnerability.\n\nFor Xen 4.12 and older not passing through PCI devices to PV guests will\navoid the vulnerability.\n\nFor Xen 4.13 and newer not enabling PCI device pass-through for PV\nguests will avoid the vulnerability.  This can be achieved via omitting\nany \"passthrough=...\" and \"pci=...\" settings from xl guest configuration\nfiles, or by setting \"passthrough=disabled\" there.\n\n- From Xen 4.13 onwards, XSM SILO can be available as a security policy\ndesigned to permit guests to only be able to communicate with Dom0.\nDom0 does not normally offer its pages for guests to map, which means\nthe use of SILO mode normally mitigates the vulnerability."}]}}}},"nvd":{"publishedDate":"2022-01-25 14:15:00","lastModifiedDate":"2023-11-07 03:44:00","problem_types":["CWE-191"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:N/I:N/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*","versionStartIncluding":"3.2.0","versionEndExcluding":"4.13.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23034","Ordinal":"225625","Title":"CVE-2022-23034","CVE":"CVE-2022-23034","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23034","Ordinal":"1","NoteData":"A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"23034","Ordinal":"2","NoteData":"2022-01-25","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"23034","Ordinal":"3","NoteData":"2022-01-25","Type":"Other","Title":"Modified"}]}}}