CVE-2022-35867: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in xhyve (CVE-2022-35867) that allows local attackers to escalate privileges on affected installations. The vulnerability was discovered by Alisa Esage of Zero Day Engineering and was disclosed on July 6, 2022. The issue affects the e1000 virtual device in xhyve version 0.2.0 (ZDI Advisory, NVD).

The vulnerability exists within the e1000 virtual device and results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. This is classified as a Stack-based Buffer Overflow (CWE-121). The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (MEDIUM) by NIST with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Zero Day Initiative assigned it a score of 7.5 (HIGH) with vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (ZDI Advisory).

An attacker who successfully exploits this vulnerability can leverage it to escalate privileges and execute arbitrary code in the context of the hypervisor. The attacker must first obtain the ability to execute high-privileged code on the target guest system to exploit this vulnerability (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. The vulnerability was disclosed publicly without a patch in accordance with the ZDI 120-day deadline. The issue was previously fixed in FreeBSD's bhyve under CVE-2019-5609, but the code was never updated in xhyve (ZDI Advisory).