Xen Grant Table V2 Race Condition Vulnerability in Status Page Mapping

A race condition vulnerability has been identified in Xen hypervisor versions 4.0 and later, affecting HVM and PVH guests that use grant table version 2. The vulnerability arises during a simultaneous grant table version change from v2 to v1 and the mapping of status pages into the guest's secondary page tables. This can lead to premature freeing of some status pages while their mappings are still being inserted, creating a potential for privilege escalation, information leaks, and denial-of-service conditions that could impact the entire host.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, information leaks, and a denial-of-service condition that may affect the entire host.

Remediation

To address this vulnerability, use the 'gnttab=max-ver:1' hypervisor command line option or set the 'max_grant_version=1' guest configuration option for HVM and PVH guests. Patches are available for Xen 4.19.x and Xen 4.18.x through 4.17.x.