CVE-2012-4544

Description

The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.

How to fix CVE-2012-4544

To remediate CVE-2012-4544, upgrade the affected package to a fixed version below.

• Debian/xen—upgrade to 4.1.3-4 or later

Is CVE-2012-4544 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.1.3-4

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-4544