DEBIAN-CVE-2021-28701

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2021-28701

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2021-28701.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2021-28701

Upstream

CVE-2021-28701

Published

2021-09-08T14:15:08Z

Modified

2025-09-25T02:31:09.137454Z

Summary

[none]

Details

Another race in XENMAPSPACEgranttable handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

References

https://security-tracker.debian.org/tracker/CVE-2021-28701

Affected packages

Debian:11 / xen

Package

Name: xen
Purl: pkg:deb/debian/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.3-1~deb11u1

Affected versions

4.*

4.14.2+25-gb6a8c4f72d-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / xen

Package

Name: xen
Purl: pkg:deb/debian/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / xen

Package

Name: xen
Purl: pkg:deb/debian/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / xen

Package

Name: xen
Purl: pkg:deb/debian/xen?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}