CVE-2022-26359
First published: Tue Apr 05 2022(Updated: )
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
Credit: security@xen.org security@xen.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | <=4.11.4+107-gef32c7afa2-1 | 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.1+2-gb773c48e36-1 4.17.2+55-g0b56bed864-1 |
| Xen XAPI | ||
| Debian | =11.0 | |
| Fedora | =34 | |
| Fedora | =35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://xenbits.xen.org/xsa/advisory-400.html
- https://security-tracker.debian.org/tracker/CVE-2022-26359
- http://www.openwall.com/lists/oss-security/2022/04/05/3
- http://xenbits.xen.org/xsa/advisory-400.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/
- https://www.debian.org/security/2022/dsa-5117
- https://xenbits.xenproject.org/xsa/advisory-400.txt
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/
- https://security.gentoo.org/glsa/202402-07
Frequently Asked Questions
What is CVE-2022-26359?
CVE-2022-26359 is a vulnerability related to IOMMU handling issues for certain PCI devices in a system.
How severe is CVE-2022-26359?
CVE-2022-26359 has a severity rating of 7.8 (high).
What is the affected software for CVE-2022-26359?
The affected software includes Xen Xen, Debian Debian Linux 11.0, Fedoraproject Fedora 34, and Fedoraproject Fedora 35.
How can I fix CVE-2022-26359?
To fix CVE-2022-26359, it is recommended to update the Xen package to version 4.14.6-1, 4.14.5+94-ge49571868d-1, 4.17.1+2-gb773c48e36-1, or 4.17.2+55-g0b56bed864-1.
Where can I find more information about CVE-2022-26359?
You can find more information about CVE-2022-26359 at the following references: [1](http://www.openwall.com/lists/oss-security/2022/04/05/3), [2](http://xenbits.xen.org/xsa/advisory-400.html), [3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/).
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- vendor/xen
- canonical/xen xapi
- vendor/debian
- canonical/debian
- version/debian/11.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/34
- version/fedora/35