Skip to main content


Xen Project 4.3.2

We are pleased to announce the release of Xen Project 4.3.2. This is available immediately from its git repository
>;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.2)

This fixes the following critical vulnerabilities:

CVE-2013-2212 / XSA-60 Excessive time to disable caching with HVM guests with PCI passthrough
CVE-2013-4494 / XSA-73 Lock order reversal between page allocation and grant table locks
CVE-2013-4553 / XSA-74 Lock order reversal between page_alloc_lock and mm_rwlock
CVE-2013-4551 / XSA-75 Host crash due to guest VMX instruction execution
CVE-2013-4554 / XSA-76 Hypercalls exposed to privilege rings 1 and 2 of HVM guests
CVE-2013-6375 / XSA-78 Insufficient TLB flushing in VT-d (iommu) code
CVE-2013-6400 / XSA-80 IOMMU TLB flushing may be inadvertently suppressed
CVE-2013-6885 / XSA-82 Guest triggerable AMD CPU erratum may cause host hang
CVE-2014-1642 / XSA-83 Out-of-memory condition yielding memory corruption during IRQ setup
CVE-2014-1891 / XSA-84 integer overflow in several XSM/Flask hypercalls
CVE-2014-1895 / XSA-85 Off-by-one error in FLASK_AVC_CACHESTAT hypercall
CVE-2014-1896 / XSA-86 libvchan failure handling malicious ring indexes
CVE-2014-1666 / XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
CVE-2014-1950 / XSA-88 use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.3 stable series to update to the latest point release.