Description
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
References (6)
Core 6
Core References
Patch, Vendor Advisory x_refsource_misc
https://xenbits.xenproject.org/xsa/advisory-350.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4843
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210205-0001/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202107-30
Scores
CVSS v3
8.8
EPSS
0.0021
EPSS Percentile
43.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (7)
debian/debian_linux
9.0
debian/debian_linux
10.0
linux/linux_kernel
4.1.44 - 4.2
netapp/hci_compute_node_bios
netapp/solidfire_\&_hci_management_node
netapp/solidfire_\&_hci_storage_node
xen/xen
< 4.14.1
Published
Dec 15, 2020
Tracked Since
Feb 18, 2026