{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46841", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-10-27T07:55:35.333Z", "datePublished": "2024-03-20T10:40:36.597Z", "dateUpdated": "2025-04-26T20:03:14.322Z"}, "containers": {"cna": {"title": "x86: shadow stack vs exceptions from emulation stubs", "datePublic": "2024-02-27T10:38:00.000Z", "descriptions": [{"lang": "en", "value": "Recent x86 CPUs offer functionality named Control-flow Enforcement\nTechnology (CET). A sub-feature of this are Shadow Stacks (CET-SS).\nCET-SS is a hardware feature designed to protect against Return Oriented\nProgramming attacks. When enabled, traditional stacks holding both data\nand return addresses are accompanied by so called \"shadow stacks\",\nholding little more than return addresses. Shadow stacks aren't\nwritable by normal instructions, and upon function returns their\ncontents are used to check for possible manipulation of a return address\ncoming from the traditional stack.\n\nIn particular certain memory accesses need intercepting by Xen. In\nvarious cases the necessary emulation involves kind of replaying of\nthe instruction. Such replaying typically involves filling and then\ninvoking of a stub. Such a replayed instruction may raise an\nexceptions, which is expected and dealt with accordingly.\n\nUnfortunately the interaction of both of the above wasn't right:\nRecovery involves removal of a call frame from the (traditional) stack.\nThe counterpart of this operation for the shadow stack was missing."}], "impacts": [{"descriptions": [{"lang": "en", "value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host."}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-451"}]}], "configurations": [{"lang": "en", "value": "Xen 4.14 and onwards are vulnerable. Xen 4.13 and older are not\nvulnerable.\n\nOnly x86 systems with CET-SS enabled are vulnerable. x86 systems with\nCET-SS unavailable or disabled are not vulnerable. Arm systems are not\nvulnerable. See\nhttps://xenbits.xen.org/docs/latest/faq.html#tell-if-cet-is-active\nfor how to determine whether CET-SS is active.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability."}], "workarounds": [{"lang": "en", "value": "While in principle it is possible to disable use of CET on capable\nsystems using the \"cet=no-shstk\" command line option, doing so disables\nan important security feature and may therefore not be advisable."}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Jan Beulich of SUSE."}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-451.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-03-23T03:06:14.246Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-25T16:09:38.636466Z", "id": "CVE-2023-46841", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T18:53:05.398Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-451.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/", "tags": ["x_transferred"]}, {"url": "http://xenbits.xen.org/xsa/advisory-451.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-26T20:03:14.322Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-451.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/", "tags": ["x_transferred"]}, {"url": "http://xenbits.xen.org/xsa/advisory-451.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-26T20:03:14.322Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-46841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-25T16:09:38.636466Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:19.387Z"}}], "cna": {"title": "x86: shadow stack vs exceptions from emulation stubs", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Jan Beulich of SUSE."}], "impacts": [{"descriptions": [{"lang": "en", "value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host."}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-451"}], "defaultStatus": "unknown"}], "datePublic": "2024-02-27T10:38:00.000Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-451.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"}], "workarounds": [{"lang": "en", "value": "While in principle it is possible to disable use of CET on capable\nsystems using the \"cet=no-shstk\" command line option, doing so disables\nan important security feature and may therefore not be advisable."}], "descriptions": [{"lang": "en", "value": "Recent x86 CPUs offer functionality named Control-flow Enforcement\nTechnology (CET). A sub-feature of this are Shadow Stacks (CET-SS).\nCET-SS is a hardware feature designed to protect against Return Oriented\nProgramming attacks. When enabled, traditional stacks holding both data\nand return addresses are accompanied by so called \"shadow stacks\",\nholding little more than return addresses. Shadow stacks aren't\nwritable by normal instructions, and upon function returns their\ncontents are used to check for possible manipulation of a return address\ncoming from the traditional stack.\n\nIn particular certain memory accesses need intercepting by Xen. In\nvarious cases the necessary emulation involves kind of replaying of\nthe instruction. Such replaying typically involves filling and then\ninvoking of a stub. Such a replayed instruction may raise an\nexceptions, which is expected and dealt with accordingly.\n\nUnfortunately the interaction of both of the above wasn't right:\nRecovery involves removal of a call frame from the (traditional) stack.\nThe counterpart of this operation for the shadow stack was missing."}], "configurations": [{"lang": "en", "value": "Xen 4.14 and onwards are vulnerable. Xen 4.13 and older are not\nvulnerable.\n\nOnly x86 systems with CET-SS enabled are vulnerable. x86 systems with\nCET-SS unavailable or disabled are not vulnerable. Arm systems are not\nvulnerable. See\nhttps://xenbits.xen.org/docs/latest/faq.html#tell-if-cet-is-active\nfor how to determine whether CET-SS is active.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability."}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-03-23T03:06:14.246Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46841", "state": "PUBLISHED", "dateUpdated": "2025-04-26T20:03:14.322Z", "dateReserved": "2023-10-27T07:55:35.333Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2024-03-20T10:40:36.597Z", "assignerShortName": "XEN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "matchCriteriaId": "73CA7EB6-4464-4294-B859-0C8DD3AB7E86", "versionStartIncluding": "4.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Recent x86 CPUs offer functionality named Control-flow Enforcement\nTechnology (CET). A sub-feature of this are Shadow Stacks (CET-SS).\nCET-SS is a hardware feature designed to protect against Return Oriented\nProgramming attacks. When enabled, traditional stacks holding both data\nand return addresses are accompanied by so called \"shadow stacks\",\nholding little more than return addresses. Shadow stacks aren't\nwritable by normal instructions, and upon function returns their\ncontents are used to check for possible manipulation of a return address\ncoming from the traditional stack.\n\nIn particular certain memory accesses need intercepting by Xen. In\nvarious cases the necessary emulation involves kind of replaying of\nthe instruction. Such replaying typically involves filling and then\ninvoking of a stub. Such a replayed instruction may raise an\nexceptions, which is expected and dealt with accordingly.\n\nUnfortunately the interaction of both of the above wasn't right:\nRecovery involves removal of a call frame from the (traditional) stack.\nThe counterpart of this operation for the shadow stack was missing."}, {"lang": "es", "value": "Las CPU x86 recientes ofrecen una funcionalidad denominada Control-flow Enforcement Technology (CET). Una subcaracter\u00edstica de esto son Shadow Stacks (CET-SS). CET-SS es una caracter\u00edstica de hardware manipulada para proteger contra ataques de programaci\u00f3n orientada al retorno. Cuando est\u00e1n habilitadas, las pilas tradicionales que contienen datos y direcciones de retorno van acompa\u00f1adas de las llamadas \"pilas ocultas\", que contienen poco m\u00e1s que direcciones de retorno. Las pilas de sombra no se pueden escribir mediante instrucciones normales y, cuando la funci\u00f3n regresa, su contenido se usa para verificar una posible manipulaci\u00f3n de una direcci\u00f3n de retorno proveniente de la pila tradicional. En particular, ciertos accesos a la memoria necesitan ser interceptados por Xen. En varios casos, la emulaci\u00f3n necesaria implica una especie de repetici\u00f3n de la instrucci\u00f3n. Esta reproducci\u00f3n normalmente implica llenar y luego invocar un trozo. Una instrucci\u00f3n repetida de este tipo puede generar excepciones, lo cual se espera y se trata en consecuencia. Desafortunadamente, la interacci\u00f3n de los dos anteriores no fue correcta: la recuperaci\u00f3n implica la eliminaci\u00f3n de un marco de llamada de la pila (tradicional). Faltaba la contraparte de esta operaci\u00f3n para la pila de sombra."}], "id": "CVE-2023-46841", "lastModified": "2025-05-12T15:06:58.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-20T11:15:08.220", "references": [{"source": "security@xen.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"}, {"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-451.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://xenbits.xen.org/xsa/advisory-451.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-451.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}