CVE-2022-26365: 
Linux Kernel vulnerability analysis and mitigation

Linux Block and Network PV device frontends vulnerability (CVE-2022-26365) was discovered and disclosed on July 5, 2022. The vulnerability affects Linux guests using PV devices with potentially malicious PV device backends. The issue was discovered by Roger Pau Monné of Citrix and involves the failure of Linux Block and Network PV device frontends to zero memory regions before sharing them with the backend (Xen Advisory).

The vulnerability stems from two main technical issues: First, Linux Block and Network PV device frontends don't properly initialize memory pages before sharing them with the backend. Second, the grant table's granularity doesn't allow sharing less than a 4K page, which results in unrelated data residing in the same 4K page becoming accessible to the backend. The vulnerability has received a CVSS v3.1 Base Score of 7.1 (HIGH) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

An untrusted backend can access data not intended to be shared. If such mappings are made with write permissions, the backend could cause malfunctions and/or crashes to consumers of contiguous data in the shared pages. A local attacker could exploit this to expose sensitive information, specifically guest kernel memory (Ubuntu Security).

Patches have been released to make the disk and network frontends capable of protecting themselves against potentially malicious backends. The signaling of whether a frontend should consider a backend as potentially malicious can be done from either the Linux kernel command line or the toolstack. Various Linux distributions have released security updates, including Ubuntu, Debian, and Fedora (Debian Security, Fedora Update).