CVE-2023-46836
MEDIUMXen - Branch Type Confusion and Speculative Return Stack Overflow via IRQ Race Condition
Title source: llmDescription
The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.
References (2)
Core 2
Core References
Patch, Vendor Advisory
https://xenbits.xenproject.org/xsa/advisory-446.html
Various Sources
http://xenbits.xen.org/xsa/advisory-446.html
Scores
CVSS v3
4.7
EPSS
0.0002
EPSS Percentile
6.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
xen/xen
Published
Jan 05, 2024
Tracked Since
Feb 18, 2026