Strix
26.1K

CVE-2021-28699

MEDIUMCVSS 5.5/10EPSS 0.35%

Last modified

CVE-2021-28699 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. EPSS estimates a 0.35% chance of exploitation in the next 30 days.

Description

inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.

Metrics

CVSS 3.1
5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.35%

27.2th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
XenXen>= 4.10.0
FedoraprojectFedora33
FedoraprojectFedora34
FedoraprojectFedora35
DebianDebian Linux11.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-28699?
inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.
How severe is CVE-2021-28699?
CVE-2021-28699 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.35% probability of exploitation in the next 30 days.
How do I fix CVE-2021-28699?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-28699?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST