CVE-2021-28696: 
Linux Debian vulnerability analysis and mitigation

CVE-2021-28696 is part of a set of IOMMU page mapping vulnerabilities affecting Xen hypervisor on x86 systems. This specific vulnerability affects AMD systems where, upon de-assignment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (Xen Advisory).

The vulnerability occurs on AMD systems with IOMMU and firmware-specified memory regions that require identity mapping. When a physical device is de-assigned from a guest, Xen fails to properly clean up the identity mappings, leaving them accessible to the guest. The issue has a CVSS v3.1 Base Score of 6.8 (MEDIUM) with vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The impact is system-specific and can include privilege escalation, denial of service, or information leaks. The vulnerability allows a guest to maintain access to memory ranges it should no longer have access to after device de-assignment (Xen Advisory).

Primary mitigations include not permitting untrusted guests access to physical devices, and limiting untrusted guest access to physical devices whose firmware-provided ACPI tables declare identity mappings. Note that a system remains vulnerable if a guest was trusted while having a device assigned, and then has the device removed in anticipation of the guest becoming untrusted (Xen Advisory).

The vulnerability was addressed in multiple Linux distributions including Debian with version 4.14.3-1~deb11u1 (Debian Advisory), Fedora with updates to versions 33, 34, and 35 (Fedora Update), and Gentoo with version 4.15.3 (Gentoo Advisory).