CVE-2015-8551
moderate-risk
Published 2016-04-13
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity checks."
Do I need to act?
-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.0/10
Medium
LOCAL
/ LOW complexity
Affected Products (14)
References (24)
Third Party Advisory
http://www.debian.org/security/2016/dsa-3434
Third Party Advisory
http://www.securityfocus.com/bid/79546
Third Party Advisory
http://www.securitytracker.com/id/1034480
Vendor Advisory
http://xenbits.xen.org/xsa/advisory-157.html
Third Party Advisory
https://security.gentoo.org/glsa/201604-03
Third Party Advisory
http://www.debian.org/security/2016/dsa-3434
and 4 more references
38
/ 100
moderate-risk
Severity
20/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
18/34 · Moderate