#VU89353 Memory leak in Xen - CVE-2024-27393


Vulnerability identifier: #VU89353

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27393

CWE-ID: CWE-401

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description
The vulnerability allows a malicious guest to perform DoS attack on the target system.

The vulnerability exists due memory leak within the xennet_alloc_one_rx_buffer() function in xen-netback implementation. A malicious guest userspace process can exhaust memory resources within the guest kernel and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Xen: All versions

External links
https://xenbits.xen.org/xsa/advisory-457.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Guardium Data Protection
Ubuntu update for linux-xilinx-zynqmp
SUSE update for the Linux Kernel
Red Hat Enterprise Linux 9 update for kernel
Ubuntu update for linux-gcp-5.15
Ubuntu update for linux-raspi
Ubuntu update for linux-azure
Ubuntu update for linux-aws-5.15
Ubuntu update for linux-aws
Multiple vulnerabilities in Oracle Linux