Julian Grall

**Name of the Vulnerable Software and Affected Versions** Xen versions prior to 4.13 **Description** An issue in Xen allows ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. When an exception occurs on an ARM system and is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. This could lead to data corruption, denial of service, or possibly even privilege escalation. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. **Recommendations** For Xen versions prior to 4.13, consider disabling the handling of exceptions without changing processor level as a temporary workaround until a patch is available. Restrict access to critical Xen code to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xen versions prior to 4.13 **Description** An issue in Xen allows ARM guest OS users to cause a denial of service via a XENMEM add to physmap hypercall. The functions `p2m resolve translation fault()` and `p2m get entry()` use `p2m->max mapped gfn` to sanity check guest physical frames, but the function `p2m get root pointer()` ignores unused top bits of a guest physical frame, leading to aliasing. This can cause `p2m->max mapped gfn` to be updated incorrectly, potentially leading to a hypervisor crash. A malicious guest administrator may exploit this issue to cause a Denial of Service (DoS). Only Arm systems are vulnerable, while x86 systems are not affected. **Recommendations** For Xen versions prior to 4.13, update to a newer version to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the `XENMEM add to physmap` hypercall to minimize the risk of exploitation. Additionally, restrict access to the `p2m get root pointer()` function until a patch is available.