{"id":"CVE-2022-26362","details":"x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited.","modified":"2026-03-15T22:44:56.610966Z","published":"2022-06-09T17:15:08.957Z","related":["SUSE-SU-2022:2065-1","SUSE-SU-2022:2084-1","SUSE-SU-2022:2158-1","SUSE-SU-2022:2164-1","SUSE-SU-2022:2296-1","SUSE-SU-2022:2560-1","SUSE-SU-2022:2569-1","SUSE-SU-2022:2574-1","SUSE-SU-2022:2591-1","SUSE-SU-2022:2597-1","SUSE-SU-2022:2599-1","SUSE-SU-2022:2599-2","SUSE-SU-2022:2600-1","SUSE-SU-2022:2601-1","openSUSE-SU-2024:12219-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH65U6FTTB5MLH5A6Q3TW7KVCGOG4MYI/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-23"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5184"},{"type":"ADVISORY","url":"https://xenbits.xenproject.org/xsa/advisory-401.txt"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/167718/Xen-TLB-Flush-Bypass.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/06/09/3"},{"type":"FIX","url":"http://xenbits.xen.org/xsa/advisory-401.html"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26362.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}