CVE-2017-10916
7.5
HIGH
CVSS 3.1
EPSS 0.39%
Description
The vCPU context-switch implementation in Xen through 4.8.x improperly interacts with the Memory Protection Extensions (MPX) and Protection Key (PKU) features, which makes it easier for guest OS users to defeat ASLR and other protection mechanisms, aka XSA-220.
How to fix CVE-2017-10916
To remediate CVE-2017-10916, upgrade the affected package to a fixed version below.
- Alpine/xen—upgrade to 4.9.0-r0 or later
- —upgrade to 4.8.1-1+deb9u3 or later
Is CVE-2017-10916 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.9.0-r0
- from 0, < 4.8.1-1+deb9u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |