CVE-2021-28695: 
Linux Debian vulnerability analysis and mitigation

CVE-2021-28695 is part of a set of IOMMU page mapping vulnerabilities discovered in Xen hypervisor. This specific vulnerability affects AMD systems where a discontinuous range is specified by firmware, causing the supposedly-excluded middle range to be incorrectly identity-mapped. The vulnerability was discovered by Jan Beulich of SUSE and disclosed in September 2021 (Xen Advisory).

The vulnerability occurs on AMD systems when handling IOMMU page mappings. When firmware specifies a discontinuous memory range that should be left untranslated, the system incorrectly identity-maps the middle range that should have been excluded. This affects x86 systems with IOMMUs and firmware specifying memory regions to be identity mapped. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.8 (MEDIUM) with vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The impact is system-specific and can result in privilege escalation, denial of service, or information leaks on affected systems. The vulnerability is only exploitable by guests granted access to physical devices via PCI passthrough (Xen Advisory).

The primary mitigation is to not permit untrusted guests access to physical devices. Additionally, limiting untrusted guest access to physical devices whose firmware-provided ACPI tables declare identity mappings will avoid the vulnerability, provided there are no identity mapped regions specified globally in the ACPI tables. Note that a system remains vulnerable if a guest was trusted while having a device assigned, and then has the device removed in anticipation of the guest becoming untrusted (Xen Advisory).