CVE-2024-31146

low-risk

Published 2024-09-25

When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

LOCAL / HIGH complexity

Affected Products (1)

Xen

Affected Vendors

Xen

References (3)

Patch https://xenbits.xenproject.org/xsa/advisory-461.html

Mailing List http://www.openwall.com/lists/oss-security/2024/08/14/3

Patch http://xenbits.xen.org/xsa/advisory-461.html

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal