CVE-2023-46837: 
NixOS vulnerability analysis and mitigation

Arm provides multiple helpers to clean & invalidate the cache for a given region, which is used when allocating guest memory to ensure writes have reached memory before handing over the page to a guest. The vulnerability (CVE-2023-46837) was discovered in December 2023 and affects all versions of Xen running on Arm 32-bit systems. This issue was meant to be addressed by XSA-437, but the approach was not sufficient (Xen Advisory).

The vulnerability stems from arithmetic operations in the cache helpers that can overflow, resulting in skipped cache cleaning/invalidation operations. This means there is no guarantee when all writes will reach the memory. The issue has a CVSS v3.1 Base Score of 3.3 (LOW) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. Only systems running Xen on Arm 32-bit are vulnerable, while Xen on Arm 64-bit is not affected (Xen Advisory).

There are no known mitigations for this vulnerability. The issue has been fixed in security updates, and affected users are advised to apply the appropriate patches. Updates have been released for various versions including Xen 4.17.x, 4.16.x, and 4.15.x (Xen Advisory, Fedora Update).