CVE-2022-42323

Name: CVE-2022-42323
Creator: NVD / NIST
Published: 2022-11-01T13:15:11.97+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 0.28%

Last modified Jun 17, 2026

CVE-2022-42323 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. EPSS estimates a 0.28% chance of exploitation in the next 30 days.

Description

Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.28%

19.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-401

Affected Software

Vendor	Product	Versions
Xen	Xen	All versions
Debian	Debian Linux	11.0
Fedoraproject	Fedora	35
Fedoraproject	Fedora	36
Fedoraproject	Fedora	37

References

http://www.openwall.com/lists/oss-security/2022/11/01/9Mailing List, Patch, Third Party Advisory
http://xenbits.xen.org/xsa/advisory-419.htmlPatch, Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
https://security.gentoo.org/glsa/202402-07
https://www.debian.org/security/2022/dsa-5272Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-419.txtPatch, Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/11/01/9Mailing List, Patch, Third Party Advisory
http://xenbits.xen.org/xsa/advisory-419.htmlPatch, Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
https://security.gentoo.org/glsa/202402-07
https://www.debian.org/security/2022/dsa-5272Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-419.txtPatch, Vendor Advisory

Timeline

Published: Nov 1, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-42323?

How severe is CVE-2022-42323?

CVE-2022-42323 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.28% probability of exploitation in the next 30 days.

How do I fix CVE-2022-42323?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-42323?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST