CVE-2021-28693

MEDIUM

Xen 4.12.0-4.14.99 - Unprotected User Data Exposure via Boot Module Scrubbing Failure

Title source: llm
STIX 2.1

Description

xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, it was discovered that modules will not be scrubbed on Arm.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://xenbits.xenproject.org/xsa/advisory-372.txt
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202107-30

Scores

CVSS v3 5.5
EPSS 0.0006
EPSS Percentile 18.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

Status published
Products (2)
xen/xen 4.15.0 rc1
xen/xen 4.12.0 - 4.15.0
Published Jun 30, 2021
Tracked Since Feb 18, 2026