Login Sign Up

CVE-2023-34322

7.8 HIGH
Denial of Service

📋 TL;DR

This Xen hypervisor vulnerability allows a malicious PV guest to crash the host system by exploiting a race condition in shadow paging memory management. When the hypervisor tears down shadow page tables during memory shortages, it can inadvertently destroy the active page table the CPU is using, causing a host crash. This affects Xen-based virtualization environments running 64-bit PV guests in shadow paging mode.

💻 Affected Systems

Products:
  • Xen Hypervisor
Versions: All versions prior to the fix for XSA-438
Operating Systems: Linux distributions using Xen (XenServer, Citrix Hypervisor, etc.)
Default Config Vulnerable: ✅ No
Notes: Only affects 64-bit PV guests running in shadow paging mode, which is typically used for migration or when running on older hardware without L1TF mitigations.

📦 What is this software?

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host system crash leading to denial of service for all virtual machines running on the affected hypervisor.

🟠

Likely Case

Host system instability or crash when PV guests are under memory pressure in shadow paging mode.

🟢

If Mitigated

No impact if shadow paging is disabled or if systems are patched.

🌐 Internet-Facing: LOW - Requires access to run a malicious PV guest on the hypervisor.
🏢 Internal Only: MEDIUM - Malicious insiders or compromised internal VMs could exploit this to crash the hypervisor.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires running a malicious PV guest and triggering specific memory conditions. The race condition makes reliable exploitation challenging.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen security update for XSA-438

Vendor Advisory: https://xenbits.xenproject.org/xsa/advisory-438.html

Restart Required: Yes

Instructions:

1. Apply Xen security patches from your distribution vendor. 2. Reboot the hypervisor host. 3. Verify the patch is applied by checking Xen version.

🔧 Temporary Workarounds

Disable shadow paging for PV guests

linux

Avoid using shadow paging mode for PV guests by ensuring hardware supports L1TF mitigations and not using migration features that require shadow paging.

xl shadow <domain-id> off
xl debug-keys s

🧯 If You Can't Patch

  • Avoid running PV guests in shadow paging mode
  • Isolate critical VMs from untrusted PV guests

🔍 How to Verify

Check if Vulnerable:

Check if Xen version is vulnerable to XSA-438 by running 'xl info' and comparing with patched versions from vendor advisories.

Check Version:

xl info | grep xen_version

Verify Fix Applied:

Verify Xen version includes XSA-438 fix: 'xl info | grep xen_version' should show patched version.

📡 Detection & Monitoring

Log Indicators:

  • Hypervisor crash logs
  • Unexpected domain shutdowns
  • Memory allocation failures in Xen logs

Network Indicators:

  • Sudden loss of connectivity to all VMs on a host

SIEM Query:

source="xen.log" AND ("crash" OR "panic" OR "shadow pool" OR "page table")

📊 Metadata

CVE ID: CVE-2023-34322
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-273
Published: January 5, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34322, you might also want to check these:

CVE-2023-34844 9.8

CVE-2023-34844 is a critical container escape vulnerability in Play With Docker versions before 0.0....

Same vulnerability type (CWE-273)
CVE-2025-27396 8.8

A privilege escalation vulnerability in Siemens SCALANCE LPE9403 industrial routers allows authentic...

Same vulnerability type (CWE-273)
CVE-2023-5369 7.1

This CVE-2023-5369 vulnerability allows sandboxed processes with only read or write capabilities (bu...

Same vulnerability type (CWE-273)