CVE-2024-31145 – This CVE describes a vulnerability in Xen hyper... (How to Fix)

Q: What is the severity of CVE-2024-31145?

CVE-2024-31145 has a CVSS score of 7.5 (HIGH). This CVE describes a vulnerability in Xen hypervisor's memory mapping logic for PCI devices with Reserved Memory Regions (RMRR) or Unity Mapping ranges. When error handling fails during device deactivation, memory mappings may persist, allowing guest VMs unauthorized access to sensitive host memory regions. This affects Xen-based virtualization environments using Intel VT-d or AMD-Vi with PCI passthrough devices.

📋 TL;DR

This CVE describes a vulnerability in Xen hypervisor's memory mapping logic for PCI devices with Reserved Memory Regions (RMRR) or Unity Mapping ranges. When error handling fails during device deactivation, memory mappings may persist, allowing guest VMs unauthorized access to sensitive host memory regions. This affects Xen-based virtualization environments using Intel VT-d or AMD-Vi with PCI passthrough devices.

💻 Affected Systems

Products:

Xen Hypervisor

Versions: All versions up to and including Xen 4.18.0

Operating Systems: Linux distributions running Xen (XCP-ng, Citrix Hypervisor, others)

Default Config Vulnerable: ✅ No

Notes: Only affects systems with PCI passthrough devices using RMRR (Intel VT-d) or Unity Mapping (AMD-Vi), typically for legacy USB emulation or similar platform tasks.

📦 What is this software?

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Guest VM gains persistent access to host memory regions containing sensitive data (encryption keys, credentials, other VM memory), potentially leading to full host compromise and data exfiltration across all VMs.

🟠

Likely Case

Guest VM accesses memory regions intended for platform tasks (legacy USB emulation), potentially causing system instability, data corruption, or information disclosure.

🟢

If Mitigated

With proper isolation controls and monitoring, impact limited to specific PCI devices; memory access may be to non-sensitive platform regions.

🌐 Internet-Facing: LOW - This requires local access to the hypervisor and specific PCI device configurations; not directly exploitable over network.

🏢 Internal Only: HIGH - Malicious or compromised guest VMs with PCI passthrough devices could exploit this to access host memory, affecting all VMs on the host.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires guest VM with PCI passthrough device access and ability to trigger device deactivation scenarios; specific timing/conditions needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen 4.18.1 and later

Vendor Advisory: https://xenbits.xenproject.org/xsa/advisory-460.html

Restart Required: Yes

Instructions:

1. Update Xen to version 4.18.1 or later. 2. Apply patches from Xen Security Advisory XSA-460. 3. Reboot hypervisor host. 4. Verify all guest VMs restart with updated hypervisor.

🔧 Temporary Workarounds

Disable PCI passthrough for affected devices

linux

Remove PCI passthrough configuration for devices using RMRR/Unity Mapping ranges

xl pci-detach <domain-id> <BDF>
virsh nodedev-detach pci_0000_XX_XX_X

Isolate affected devices

all

Ensure devices with RMRR/Unity Mapping are not assigned to untrusted guest VMs

🧯 If You Can't Patch

Isolate PCI passthrough devices to trusted guest VMs only
Implement strict monitoring for memory access anomalies and device state changes

🔍 How to Verify

Check if Vulnerable:

Check Xen version: 'xl info | grep xen_version' or 'xen-detect'. If version <= 4.18.0 and using PCI passthrough with RMRR/Unity Mapping devices, system is vulnerable.

Check Version:

xl info | grep xen_version

Verify Fix Applied:

Verify Xen version is 4.18.1 or later: 'xl info | grep xen_version'. Check no error messages related to RMRR/Unity Mapping in hypervisor logs during device operations.

📡 Detection & Monitoring

Log Indicators:

Hypervisor logs showing RMRR/Unity Mapping errors
Unexpected memory access patterns in guest VMs
PCI device state transition failures

Network Indicators:

Not network-exploitable; no specific network indicators

SIEM Query:

source="xen-hypervisor" AND ("RMRR" OR "Unity Mapping" OR "memory mapping error")

📊 Metadata

CVE ID: CVE-2024-31145

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-400

Published: September 25, 2024

Last Updated: January 5, 2026

🔗 References

https://xenbits.xenproject.org/xsa/advisory-460.html Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/08/14/2 Mailing List,Third Party Advisory
http://xenbits.xen.org/xsa/advisory-460.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31145, you might also want to check these: