CVE-2022-42326: 
NixOS vulnerability analysis and mitigation

CVE-2022-42326 is a vulnerability in Xen's Xenstore component that affects systems running Xen version 4.9 and newer. The vulnerability was discovered by Julien Grall of Amazon and publicly disclosed on November 1, 2022. It specifically affects systems running the C variant of Xenstore (xenstored or xenstore-stubdom), while systems using the Ocaml variant (oxenstored) are not vulnerable (Xen Advisory).

The vulnerability occurs when a node is created in a transaction and later deleted within the same transaction. When this happens, the transaction terminates with an error, but only after partially executing and failing to update the accounting information. This implementation flaw allows the transaction to be performed partially without proper accounting updates (Xen Advisory). The vulnerability has been assigned a CVSS score of 5.5, with attack vector being Local, attack complexity Low, and requiring Low privileges (Oracle Bulletin).

When exploited, this vulnerability enables a malicious guest to create an arbitrary number of nodes, which can cause memory shortage in xenstored. This results in a Denial of Service (DoS) condition that prevents the creation of new guests and blocks configuration changes for running guests (Xen Advisory).

As a mitigation, systems can switch to running oxenstored instead of xenstored to avoid the vulnerability. For permanent resolution, patches have been released and should be applied to affected systems. The fix is available through patches xsa421/xsa421-??.patch for Xen-unstable and 4.16.x versions, and xsa421/xsa421-4.15-??.patch for versions 4.15.x - 4.13.x (Xen Advisory).