CVE-2021-28700: 
NixOS vulnerability analysis and mitigation

CVE-2021-28700 affects the dom0less feature in Xen versions 4.12 and later on ARM systems. The vulnerability was discovered by Julien Grall of Amazon and disclosed in August 2021. The issue stems from the dom0less feature, which allows administrators to create multiple unprivileged domains directly from Xen, failing to set proper memory limits for these domains (Xen Advisory).

The vulnerability occurs because memory limits are not properly set for domains created using the dom0less feature. This implementation flaw allows domains to allocate memory beyond their administrator-configured limits. The issue has been assigned a CVSS v3.1 base score of 4.9 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (NVD).

A malicious dom0less guest could exploit this vulnerability to allocate memory beyond its configured limits, potentially exhausting system memory resources. This can lead to a Denial of Service (DoS) condition affecting the entire system (Xen Advisory).

No workarounds were available for this vulnerability. The issue was fixed in various distribution updates including Fedora 33, 34, and 35, Debian 11 (Bullseye), and Gentoo. Debian provided fixes in version 4.14.3-1~deb11u1, while Gentoo addressed it in version 4.15.3 (Debian Advisory, Gentoo Advisory).