Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2026-31786 / XSA-485
                               version 2

      Linux kernel out of bounds read via Xen-related sysfs file

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The Linux sysfs file /sys/hypervisor/properties/buildid does not
contain printable information, but a binary value of typically 16 or
20 bytes, which is not terminated by a zero byte.

The kernel driver making this information available is using the
sprintf() function for writing the data into the user readable buffer,
resulting in a potential out of bounds read past the buildid retrieved
from the Xen hypervisor. In rare cases even writing past the sysfs
buffer of 4kB might happen, if no zero byte is found in the 4kB of
data following the start of the buildid.

This might result in users being capable to read kernel secrets or
even overwrite kernel memory located after the sysfs buffer.

IMPACT
======

Inside any Linux Xen domain information leaks, Denial of Service (DoS)
and privilege escalation might be possible.

VULNERABLE SYSTEMS
==================

All Linux domains with a kernel version 4.13 or later are vulnerable.
Domains up to kernel version 4.12 are not vulnerable.

MITIGATION
==========

There is no known mitigation available.

CREDITS
=======

This issue was discovered by Frediano Ziglio of XenServer.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa485-linux.patch     Linux

$ sha256sum xsa485*
c70b792093d7b314b8c476e39df88a62a2d98fb0efc6328590d0ad3266c77831  xsa485-linux.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the patch needs to be applied to the guests.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQIMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZu7cH/0KeJ7rnA7tE5l1TYcD2Enh0jYjMtBw0DIH/bYwd
EGNklioe02/aVGs9TooQDeZZRMOg6tyA3c7skl2jGN51RlHrPMc27tNDGdFR9/F/
0Mp614K4lfoKfEYQTdWxWYPPerIhfkDSkUOmKlOwS/NyJ5HnuQ+LT8j7e+1YKs04
BOjqNorArGoxsRIleRAXIUzZPOreCPrUBRIQwVsULnsGMIkcFSnt4CyV/sPFzILh
2KHCFPZHpQ70SxbgZgVmEb1emwDysps9LoVzrRQcuHsD1AsqtgSvsHau0Wi1juY4
CjygNQUML3r6ZH46DNsovpdHHW08HfhgYuASZ85erwsxM0Q=
=wJb9
-----END PGP SIGNATURE-----