CVE-2022-26360: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-26360 is a vulnerability in the IOMMU handling of Reserved Memory Regions (RMRR) for Intel VT-d and Unity Mapping ranges for AMD-Vi in Xen hypervisor. The vulnerability was discovered and publicly disclosed on April 5, 2022, affecting all Xen versions supporting PCI passthrough on x86 systems with IOMMU hardware (Xen Advisory).

The vulnerability occurs when certain PCI devices are assigned Reserved Memory Regions (RMRR) for Intel VT-d or Unity Mapping ranges for AMD-Vi, typically used for platform tasks such as legacy USB emulation. The core issue is that when a device associated with such a region is active, the mappings of these regions must remain continuously accessible by the device - a requirement that was violated. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The impact of this vulnerability is system-specific but primarily results in a Denial of Service (DoS) affecting the entire host. Additionally, privilege escalation and information leaks cannot be ruled out. The vulnerability can lead to unpredictable behavior, ranging from IOMMU faults to memory corruption (Xen Advisory).

The primary mitigation is to avoid passing through physical devices to untrusted guests when the devices have associated RMRRs or unity maps. Various patches have been released for different versions of Xen (4.12.x through 4.16.x). Multiple Linux distributions have also released security updates, including Debian (4.14.4+74-gd7b22226b5-1), Fedora 34 (xen-4.14.5-1.fc34), and Fedora 35 (xen-4.15.2-3.fc35) (Debian Advisory, Fedora Update).