CVE-2022-23035: 
NixOS vulnerability analysis and mitigation

CVE-2022-23035 is a vulnerability in the Xen hypervisor discovered by Julien Grall of Amazon and disclosed on January 25, 2022. The vulnerability affects Xen versions 4.6 and later, specifically impacting the management of IRQs associated with physical devices exposed to x86 HVM guests. This insufficient cleanup of passed-through device IRQs occurs during the cleanup process after a guest's use of the device (Xen Advisory).

The vulnerability involves an iterative operation in IRQ cleanup where, if an interrupt is not quiescent during cleanup, a retry attempt may be scheduled. In cases with multiple interrupts, the retry scheduling can be erroneously skipped, leading to pointer-related issues including NULL dereference and use-after-free conditions, while other code continues to assume the pointers remain valid. The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (MEDIUM) with vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The impact is system-specific but primarily results in a Denial of Service (DoS) affecting the entire host system. While DoS is the primary concern, security researchers note that privilege escalation and information leaks cannot be ruled out as potential impacts (Xen Advisory).

The only available mitigation is to avoid passing through to x86 HVM guests PCI devices with more than a single physical interrupt. For a permanent fix, system administrators should apply the appropriate patches provided by Xen or update to a fixed version. Various Linux distributions have released security updates addressing this vulnerability, including Debian (version 4.14.4+74-gd7b22226b5-1) and Gentoo (version 4.15.3) (Debian Advisory, Gentoo Advisory).