CVE-2023-46836: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-46836 is a security vulnerability affecting the Xen hypervisor's implementation of Branch Type Confusion (BTC) and Speculative Return Stack Overflow (SRSO) mitigations. The vulnerability was discovered by Andrew Cooper of XenServer and publicly disclosed on November 14, 2023. The issue affects all versions of Xen, specifically impacting systems running on AMD and Hygon CPUs in default configurations (Xen Advisory).

The vulnerability stems from the fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) not being IRQ-safe. While these mitigations were assumed to operate in contexts with IRQs disabled, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths: one unconditionally and another conditionally based on XPTI activation. Since BTC/SRSO and Meltdown affect different CPU vendors, these mitigations are not active together by default, creating a race condition that allows malicious PV guests to bypass BTC/SRSO protections. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

An attacker operating from within a PV (paravirtualized) guest environment could potentially exploit this vulnerability to infer the contents of memory belonging to other guests, leading to information disclosure across guest boundaries (Xen Advisory).

As a mitigation measure, system administrators can avoid the vulnerability by running only HVM (Hardware Virtual Machine) or PVH VMs. For a permanent fix, administrators should apply the patch provided in the security advisory. The patch has been prepared for stable branches, and downstream users are advised to update to the tip of the stable branch before applying the patches (Xen Advisory).