CVE-2023-46836

x86: BTC/SRSO fixes not fully effective

Description

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.

Remediation

Workaround:

Running only HVM or PVH VMs will avoid the vulnerability.

4.7

CVSS

Severity: Medium

CVSS 3.1 •

EPSS 0.01%

Vendor Advisory xenproject.org

Affected: Xen Xen

References

Link	Tags
https://xenbits.xenproject.org/xsa/advisory-446.html	patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-46836?: CVE-2023-46836 has been scored as a medium severity vulnerability.
How to fix CVE-2023-46836?: As a workaround for remediating CVE-2023-46836: Running only HVM or PVH VMs will avoid the vulnerability.
Is CVE-2023-46836 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-46836 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-46836?: CVE-2023-46836 affects Xen Xen.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.