Xen Security Advisory CVE-2019-19581,CVE-2019-19582 / XSA-307
UPDATES IN VERSION 3
Updated metadata to add 4.13, update StableRef's
In a number of places bitmaps are being used by the hypervisor to track
certain state. Iteration over all bits involves functions which may
misbehave in certain corner cases:
- - On 32-bit Arm accesses to bitmaps with bit a count which is a multiple
of 32, an out of bounds access may occur. (CVE-2019-19581)
- - On x86 accesses to bitmaps with a compile time known size of 64 may
incur undefined behavior, which may in particular result in infinite
A malicious guest may cause a hypervisor crash or hang, resulting in a
Denial of Service (DoS).
All versions of Xen are vulnerable.
32-bit Arm systems are vulnerable.
x86 systems with 64 or more nodes are vulnerable. We are unaware of any
such systems that Xen would run on.
64-bit Arm systems as well as x86 systems with less than 64 nodes are
There is no known mitigation for 32-bit Arm systems.
For x86 systems the issue can be avoided by suppressing the use of NUMA
information provided by firmware, via the "numa=off" command line
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)