Skip to main content

'Fatal' bug found in the Xen hypervisor

Security expert Jérémie Boutoille from Quarkslab said that he found a critical bug in the Xen hypervisor.

The open-source hypervisor, which has the likes of Amazon, and IBM on its cloud clients list, has had a bug which could lead to ‘potential privilege escalation’.

The bug, identified as CVE-2016-6258, affects all versions of Xen. However, only PV guests on x86 hardware should be worried. Hardware virtual machine (HVM) and ARM guests are deemed invulnerable.

“Running only HVM guests will avoid this vulnerability,” the researcher said in an advisory posted on the Xenbits website.

In theory, the bug would allow a malicious PV guest administrator to escalate their privilege in relation to the host. That way, it could break PV virtual machine’s isolation, allowing the attacker breaking into one, to break into others, as well.

"The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only access/dirty bits)," it says in the issue description.

"The bits considered safe were too broad, and not actually safe."

Xen also forms the basis of the Qubes OS, which is why Joanna Rutkowska spoke up. According to, she says the vulnerability should be considered ‘fatal’.

"The mere fact we were unable to come up with an agreeable exploitation sketch within the last 24 hours should not be treated as a mitigation factor," she said. "This bug, being the second critical bug in the Xen PV virtualisation code publicly discussed in a relatively short period of time, cannot simply be shrugged off, patched, and forgotten.”

Patches are available for download here.

Image Credit: Flickr / ron_n_beths pics