CVE-2022-26364: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-26364 is a vulnerability in Xen's type reference count system for pages that affects the hypervisor's safety logic. The vulnerability was discovered by Jann Horn of Google Project Zero and publicly disclosed on June 9, 2022. It affects all versions of Xen, specifically impacting x86 PV guests configured with access to devices (e.g., PCI Passthrough) (Xen Advisory).

The vulnerability stems from Xen's safety logic not accounting for CPU-induced cache non-coherency, where the CPU can cause the content of the cache to be different from the content in main memory. This affects Xen's type reference count system, which maintains invariants required for safety, such as preventing PV guests from having direct writeable access to pagetables. In cases of non-coherent memory access, Xen's safety logic can incorrectly conclude that the contents of a page is safe (Xen Advisory).

The vulnerability allows malicious x86 PV guest administrators to escalate privileges and potentially gain control over the entire system. The impact is limited to systems running CPUs that can issue non-coherent memory accesses. CPUs with the SelfSnoop feature are not affected, which means Intel IvyBridge or later CPUs are generally not impacted by this vulnerability (Xen Advisory).

The primary mitigation is to avoid passing devices through to untrusted x86 PV guests. For a permanent fix, system administrators should apply the appropriate patches provided in XSA-402. It's important to note that these patches depend on XSA-401 patches and will not function safely without them. The patches are available for various Xen versions including 4.13.x through 4.16.x (Xen Advisory).

Multiple Linux distributions have released security updates to address this vulnerability, including Debian in DSA-5184-1 (Debian Security), Fedora in updates for versions 35 and 36 (Fedora Update), and Gentoo in GLSA 202208-23 (Gentoo Security).