CVE-2017-12855

Name: CVE-2017-12855
Creator: NVD / NIST
Published: 2017-08-15T16:29:00.233+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 0.40%

Last modified Jun 17, 2026

CVE-2017-12855 is a vulnerability of currently unknown severity. Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. EPSS estimates a 0.40% chance of exploitation in the next 30 days.

Description

Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected.

Metrics

EPSS Probability

0.40%

31.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions
Xen	Xen	4.5.0
Xen	Xen	4.5.1
Xen	Xen	4.5.2
Xen	Xen	4.5.3
Xen	Xen	4.5.5
Xen	Xen	4.6.0
Xen	Xen	4.6.1
Xen	Xen	4.6.3
Xen	Xen	4.6.4
Xen	Xen	4.6.5
Xen	Xen	4.6.6
Xen	Xen	4.7.0
Xen	Xen	4.7.1
Xen	Xen	4.7.2
Xen	Xen	4.7.3
Xen	Xen	4.8.0
Xen	Xen	4.8.1
Xen	Xen	4.9.0

References

http://www.debian.org/security/2017/dsa-3969
http://www.securityfocus.com/bid/100341Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039177Third Party Advisory, VDB Entry
http://xenbits.xen.org/xsa/advisory-230.htmlVendor Advisory
https://support.citrix.com/article/CTX225941
http://www.debian.org/security/2017/dsa-3969
http://www.securityfocus.com/bid/100341Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039177Third Party Advisory, VDB Entry
http://xenbits.xen.org/xsa/advisory-230.htmlVendor Advisory
https://support.citrix.com/article/CTX225941

Timeline

Published: Aug 15, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-12855?

How severe is CVE-2017-12855?

Severity scoring for CVE-2017-12855 is pending analysis. The EPSS model estimates a 0.40% probability of exploitation in the next 30 days.

How do I fix CVE-2017-12855?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-12855?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST