Filtered by vendor Xen
Subscribe
Total
497 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-1936 | 1 Xen | 1 Xen | 2026-06-16 | 4.6 MEDIUM | N/A |
| Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction emulation when exiting the VM, which allows local guest users to cause a denial of service (guest crash) via unspecified vectors. | |||||
| CVE-2011-1780 | 1 Xen | 1 Xen | 2026-06-16 | 6.1 MEDIUM | N/A |
| The instruction emulation in Xen 3.0.3 allows local SMP guest users to cause a denial of service (host crash) by replacing the instruction that causes the VM to exit in one thread with a different instruction in a different thread. | |||||
| CVE-2011-1763 | 1 Xen | 1 Xen | 2026-06-16 | 7.7 HIGH | N/A |
| The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges via unspecified vectors involving a new event channel port. | |||||
| CVE-2011-1166 | 1 Xen | 1 Xen | 2026-06-16 | 5.5 MEDIUM | N/A |
| Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables. | |||||
| CVE-2009-3525 | 1 Xen | 1 Xen | 2026-06-16 | 7.2 HIGH | N/A |
| The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password. | |||||
| CVE-2009-1758 | 2 Linux, Xen | 2 Linux Kernel, Xen | 2026-06-16 | 5.0 MEDIUM | N/A |
| The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges." | |||||
| CVE-2008-4993 | 1 Xen | 1 Xen | 2026-06-16 | 6.9 MEDIUM | N/A |
| qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file. | |||||
| CVE-2008-3687 | 1 Xen | 2 Xen, Xen Flask Module | 2026-06-16 | 6.8 MEDIUM | N/A |
| Heap-based buffer overflow in the flask_security_label function in Xen 3.3, when compiled with the XSM:FLASK module, allows unprivileged domain users (domU) to execute arbitrary code via the flask_op hypercall. | |||||
| CVE-2007-6416 | 1 Xen | 1 Xen | 2026-06-16 | 4.6 MEDIUM | N/A |
| The copy_to_user function in the PAL emulation functionality for Xen 3.1.2 and earlier, when running on ia64 systems, allows HVM guest users to access arbitrary physical memory by triggering certain mapping operations. | |||||
| CVE-2007-5730 | 3 Debian, Qemu, Xen | 3 Debian Linux, Qemu, Xen | 2026-06-16 | 7.2 HIGH | N/A |
| Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability. | |||||
| CVE-2007-1321 | 4 Debian, Fedoraproject, Qemu and 1 more | 5 Debian Linux, Fedora, Fedora Core and 2 more | 2026-06-16 | 7.2 HIGH | N/A |
| Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. | |||||
| CVE-2007-1320 | 5 Debian, Fedoraproject, Opensuse and 2 more | 6 Debian Linux, Fedora, Fedora Core and 3 more | 2026-06-16 | 7.2 HIGH | N/A |
| Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. | |||||
| CVE-2007-0998 | 2 Redhat, Xen | 3 Enterprise Linux, Fedora Core, Qemu | 2026-06-16 | 4.3 MEDIUM | N/A |
| The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2026-23557 | 1 Xen | 1 Xen | 2026-05-19 | N/A | 6.5 MEDIUM |
| Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen. | |||||
| CVE-2026-23558 | 1 Xen | 1 Xen | 2026-05-19 | N/A | 7.8 HIGH |
| The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables. | |||||
| CVE-2026-23554 | 1 Xen | 1 Xen | 2026-04-10 | N/A | 7.8 HIGH |
| The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions. | |||||
| CVE-2026-23555 | 1 Xen | 1 Xen | 2026-04-10 | N/A | 7.1 HIGH |
| Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get. | |||||