Xen Intel EPT Paging Use-After-Free Vulnerability Allowing Privilege Escalation and Information Leaks

A use-after-free vulnerability has been identified in the Intel Extended Page Tables (EPT) handling within Xen hypervisor versions 4.17 and later. This issue arises because the EPT paging code optimizes performance by delaying the flushing of cached EPT state until after the page-to-machine (p2m) lock is released. While this optimization allows multiple modifications to be consolidated into a single flush, it inadvertently creates a window where freed paging structures can temporarily remain in a cached state. These stale entries may reference memory areas not allocated to the guest, potentially granting access to unauthorized memory regions. The vulnerability can be exploited by x86 HVM/PVH guests using Hardware-Assisted Paging (HAP) on affected systems.

Impact

Exploitation of this vulnerability could lead to unauthorized access to memory, allowing for information leaks, privilege escalation, and a denial-of-service condition affecting the entire host.

Remediation

Applying the provided patch resolves this vulnerability. Note that this patch is intended for the stable branches of Xen 4.17.x. Instructions for applying the patch can be found in the Xen Security Advisory XSA-480.