CVE-2021-26933
First published: Wed Feb 17 2021(Updated: )
An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page to a guest. Unfortunately, the operation to clean the cache is happening before checking if the page was scrubbed. Therefore there is no guarantee when all the writes will reach the memory.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | 4.11.4+107-gef32c7afa2-1 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.1+2-gb773c48e36-1 4.17.2+55-g0b56bed864-1 | |
| Xen xen-unstable | >=4.9.0<=4.14.1 | |
| Fedora | =32 | |
| Fedora | =33 | |
| Debian | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://xenbits.xen.org/xsa/advisory-364.html
- https://security-tracker.debian.org/tracker/CVE-2021-26933
- http://xenbits.xen.org/xsa/advisory-364.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/
- https://www.debian.org/security/2021/dsa-4888
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GELN5E6MDR5KQBJF5M5COUUED3YFZTD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOAJBVAVR6RSCUCHNXPVSNRPSFM7INMP/
Frequently Asked Questions
What is the severity of CVE-2021-26933?
CVE-2021-26933 has a high severity rating due to the potential for memory access issues affecting guest control.
How do I fix CVE-2021-26933?
To fix CVE-2021-26933, update Xen to a version that includes the relevant patches such as 4.11.4+107-gef32c7afa2-1 or later.
Which versions of Xen are affected by CVE-2021-26933?
CVE-2021-26933 affects Xen versions 4.9 through 4.14.x on Arm architecture.
How does CVE-2021-26933 impact system security?
CVE-2021-26933 can lead to inconsistent memory writes, which may compromise the integrity of the virtualized environment.
Is CVE-2021-26933 specific to any operating system?
CVE-2021-26933 impacts systems running Xen hypervisor on various Linux distributions, including Fedora and Debian.
- collector/security-tracker-debian
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/xen
- canonical/xen xen-unstable
- version/xen xen-unstable/4.9.0
- version/xen xen-unstable/4.14.1
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33
- vendor/debian
- canonical/debian
- version/debian/10.0