CVE-2021-28694: 
Linux Debian vulnerability analysis and mitigation

CVE-2021-28694 is a vulnerability in the Xen hypervisor that affects systems with ACPI tables specifying untranslated memory regions. The vulnerability was discovered by Jan Beulich of SUSE and disclosed in September 2021. It affects all versions of Xen on x86 systems with IOMMUs and firmware specifying memory regions to be identity mapped (Xen Advisory).

The vulnerability occurs when ACPI tables specify regions of memory that should be left untranslated (pass through the translation phase unaltered). While these are typically device-specific ACPI properties, they can also be specified to apply to a range of devices or all devices. Xen failed to prevent guests from undoing or replacing such mappings. The vulnerability has a CVSS v3.1 Base Score of 6.8 (MEDIUM) with vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The precise impact is system-specific and can include privilege escalation, denial of service, or information leaks on affected systems. The vulnerability is only exploitable by guests granted access to physical devices through PCI passthrough (Xen Advisory).

The primary mitigation is to not permit untrusted guests access to physical devices. Additionally, limiting untrusted guest access to physical devices whose firmware-provided ACPI tables declare identity mappings will avoid the vulnerability, provided there are no identity mapped regions specified by the ACPI tables to apply globally. Note that a system remains vulnerable if a guest was trusted while having a device assigned, and then has the device removed in anticipation of the guest becoming untrusted (Xen Advisory).