4.9.0

DATE	CVE	VULNERABILITY TITLE	RISK
2021-11-24	CVE-2021-28704	PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. local low complexity xen fedoraproject debian	8.8
2021-11-24	CVE-2021-28706	Allocation of Resources Without Limits or Throttling vulnerability in multiple products guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. network low complexity xen fedoraproject debian CWE-770	8.6
2021-11-24	CVE-2021-28707	PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. local low complexity xen debian fedoraproject	8.8
2021-11-24	CVE-2021-28708	PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. local low complexity xen debian fedoraproject	8.8
2021-09-08	CVE-2021-28701	Race Condition vulnerability in multiple products Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. local high complexity xen debian fedoraproject CWE-362	7.8
2021-08-27	CVE-2021-28697	Race Condition vulnerability in multiple products grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. local low complexity xen fedoraproject debian CWE-362	7.8
2021-08-27	CVE-2021-28698	Infinite Loop vulnerability in multiple products long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. local low complexity xen fedoraproject debian CWE-835	5.5
2021-06-30	CVE-2021-28692	Improper Privilege Management vulnerability in XEN inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. local low complexity xen CWE-269	5.6
2021-02-18	CVE-2021-27379	An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. local xen debian	5.9
2021-02-17	CVE-2021-26933	An issue was discovered in Xen 4.9 through 4.14.x. local low complexity xen fedoraproject debian	5.5