Ian Campbell

**Name of the Vulnerable Software and Affected Versions** Xen versions prior to 4.7 **Description** A race condition exists in the relinquish memory function, allowing local domains with partial management control to cause a denial of service, resulting in a host crash. This can be achieved through vectors involving the destruction of a domain and using the XENMEM decrease reservation function to reduce the memory of the domain. **Recommendations** For versions prior to 4.7, update to a newer version to mitigate the risk of a denial of service.

**Name of the Vulnerable Software and Affected Versions** Xen versions 4.4.x **Description** The issue occurs when Xen 4.4.x, running on an ARM system, handles an unknown system register access from 64-bit userspace. Instead of returning to an instruction associated with faults in 64-bit userspace, it returns to an instruction of the trap handler for kernel space faults. This allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. **Recommendations** For Xen version 4.4.x, consider applying a patch or fix that corrects the handling of unknown system register accesses from 64-bit userspace to prevent denial of service and potential privilege escalation.

**Name of the Vulnerable Software and Affected Versions** Xen versions 4.4.x **Description** The issue arises when Xen 4.4.x, running a 64-bit kernel on an ARM system, fails to properly handle traps from the guest domain that use a different address width. This allows local guest users to cause a denial of service, resulting in a host crash, by executing a crafted 32-bit process. **Recommendations** For Xen version 4.4.x, consider applying a patch or update that addresses the improper handling of traps from the guest domain to prevent a denial of service. As a temporary workaround, consider restricting the execution of 32-bit processes on the guest domain to minimize the risk of host crash.