{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","type":"apk","namespace":"alpine","name":"xen","version":"4.13.0-r0","qualifiers":{"arch":"x86","distroversion":"v3.11","reponame":"main"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.13.0-r1","latest_non_vulnerable_version":"4.13.4-r2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106391?format=json","vulnerability_id":"VCID-33sz-99zv-gybt","summary":"An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19583.json","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19583.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19583","reference_id":"","reference_type":"","scores":[{"value":"0.02069","scoring_system":"epss","scoring_elements":"0.84256","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02069","scoring_system":"epss","scoring_elements":"0.8428","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02069","scoring_system":"epss","scoring_elements":"0.84283","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02069","scoring_system":"epss","scoring_elements":"0.84276","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02069","scoring_system":"epss","scoring_elements":"0.84265","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02069","scoring_system":"epss","scoring_elements":"0.84278","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19583"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778171","reference_id":"1778171","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778171"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-308.html","reference_id":"XSA-308","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-308.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-19583","XSA-308"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-33sz-99zv-gybt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79523?format=json","vulnerability_id":"VCID-5tu1-npgw-3qca","summary":"Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12207.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12207.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12207","reference_id":"","reference_type":"","scores":[{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49744","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49807","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49817","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49799","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49769","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49786","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1646768","reference_id":"1646768","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1646768"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3832","reference_id":"RHSA-2019:3832","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3832"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3833","reference_id":"RHSA-2019:3833","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3833"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3834","reference_id":"RHSA-2019:3834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3835","reference_id":"RHSA-2019:3835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3836","reference_id":"RHSA-2019:3836","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3836"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3837","reference_id":"RHSA-2019:3837","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3837"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3838","reference_id":"RHSA-2019:3838","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3838"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3839","reference_id":"RHSA-2019:3839","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3839"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3840","reference_id":"RHSA-2019:3840","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3840"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3841","reference_id":"RHSA-2019:3841","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3841"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3842","reference_id":"RHSA-2019:3842","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3842"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3843","reference_id":"RHSA-2019:3843","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3843"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3844","reference_id":"RHSA-2019:3844","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3844"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3860","reference_id":"RHSA-2019:3860","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3860"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3916","reference_id":"RHSA-2019:3916","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3916"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3936","reference_id":"RHSA-2019:3936","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3936"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3941","reference_id":"RHSA-2019:3941","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3941"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0026","reference_id":"RHSA-2020:0026","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0026"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0028","reference_id":"RHSA-2020:0028","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0028"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0204","reference_id":"RHSA-2020:0204","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0204"},{"reference_url":"https://usn.ubuntu.com/4183-1/","reference_id":"USN-4183-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4183-1/"},{"reference_url":"https://usn.ubuntu.com/4184-1/","reference_id":"USN-4184-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4184-1/"},{"reference_url":"https://usn.ubuntu.com/4185-1/","reference_id":"USN-4185-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4185-1/"},{"reference_url":"https://usn.ubuntu.com/4185-2/","reference_id":"USN-4185-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4185-2/"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-304.html","reference_id":"XSA-304","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-304.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2018-12207","XSA-304"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5tu1-npgw-3qca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106380?format=json","vulnerability_id":"VCID-6stg-awwf-y7g5","summary":"An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be \"promoted\" before being used as a pagetable, and \"demoted\" before being used for any other type. Xen also allows for \"recursive\" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18421.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18421.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18421","reference_id":"","reference_type":"","scores":[{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83414","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83439","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.8344","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83436","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83428","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01863","scoring_system":"epss","scoring_elements":"0.83442","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1765043","reference_id":"1765043","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1765043"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-299.html","reference_id":"XSA-299","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-299.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-18421","XSA-299"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6stg-awwf-y7g5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106387?format=json","vulnerability_id":"VCID-8481-uey9-zqay","summary":"An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's \"assignable-add\" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these \"alternate\" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19579.json","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19579.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19579","reference_id":"","reference_type":"","scores":[{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31944","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.32017","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31986","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31948","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.31917","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0013","scoring_system":"epss","scoring_elements":"0.3194","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1780558","reference_id":"1780558","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1780558"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-306.html","reference_id":"XSA-306","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-306.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-19579","XSA-306"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8481-uey9-zqay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106386?format=json","vulnerability_id":"VCID-de4m-z2et-6qfe","summary":"An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. \"Linear pagetables\" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the \"depth\" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some \"linear_pt_entry\" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19578.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19578.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19578","reference_id":"","reference_type":"","scores":[{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32125","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32197","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32165","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32127","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32096","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.3212","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778161","reference_id":"1778161","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778161"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-309.html","reference_id":"XSA-309","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-309.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-19578","XSA-309"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-de4m-z2et-6qfe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106388?format=json","vulnerability_id":"VCID-ewxk-sway-qbcy","summary":"An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations, because of an incomplete fix for CVE-2019-18421. XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All security-supported versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Note that these attacks require very precise timing, which may be difficult to exploit in practice.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19580.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19580.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19580","reference_id":"","reference_type":"","scores":[{"value":"0.00622","scoring_system":"epss","scoring_elements":"0.70484","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00622","scoring_system":"epss","scoring_elements":"0.70525","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00622","scoring_system":"epss","scoring_elements":"0.70534","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00622","scoring_system":"epss","scoring_elements":"0.70517","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00622","scoring_system":"epss","scoring_elements":"0.70505","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00622","scoring_system":"epss","scoring_elements":"0.70528","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778185","reference_id":"1778185","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778185"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-310.html","reference_id":"XSA-310","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-310.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-19580","XSA-310"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ewxk-sway-qbcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106385?format=json","vulnerability_id":"VCID-gnx3-uqq5-sfb1","summary":"An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain privileges by triggering data-structure access during pagetable-height updates. When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables (the pagetable height) in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done without taking a lock which is necessary for safe operation. A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out. Additionally, there is a potential memory leak of 4kb per guest boot, under memory pressure. Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable. ARM systems are not vulnerable. Only systems where guests are given direct access to physical devices are vulnerable. Systems which do not use PCI pass-through are not vulnerable. Only HVM guests can exploit the vulnerability. PV and PVH guests cannot. All versions of Xen with IOMMU support are vulnerable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19577.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19577.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19577","reference_id":"","reference_type":"","scores":[{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30949","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.31015","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30983","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30948","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30917","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00123","scoring_system":"epss","scoring_elements":"0.30937","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778194","reference_id":"1778194","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778194"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-311.html","reference_id":"XSA-311","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-311.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-19577","XSA-311"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gnx3-uqq5-sfb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106382?format=json","vulnerability_id":"VCID-jayy-4y1c-87es","summary":"An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m->max_mapped_gfn will be updated using the original frame. It would be possible to set p2m->max_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one allowing \"highest mapped + 1\" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18423.json","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18423.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18423","reference_id":"","reference_type":"","scores":[{"value":"0.05187","scoring_system":"epss","scoring_elements":"0.90086","published_at":"2026-06-04T12:55:00Z"},{"value":"0.05187","scoring_system":"epss","scoring_elements":"0.90102","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05187","scoring_system":"epss","scoring_elements":"0.90101","published_at":"2026-06-06T12:55:00Z"},{"value":"0.05187","scoring_system":"epss","scoring_elements":"0.90099","published_at":"2026-06-08T12:55:00Z"},{"value":"0.05187","scoring_system":"epss","scoring_elements":"0.90113","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1771344","reference_id":"1771344","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1771344"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-301.html","reference_id":"XSA-301","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-301.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-18423","XSA-301"],"risk_score":2.6,"exploitability":"0.5","weighted_severity":"5.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jayy-4y1c-87es"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106384?format=json","vulnerability_id":"VCID-jffd-kaam-bqav","summary":"An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18425.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18425.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18425","reference_id":"","reference_type":"","scores":[{"value":"0.04874","scoring_system":"epss","scoring_elements":"0.89742","published_at":"2026-06-04T12:55:00Z"},{"value":"0.04874","scoring_system":"epss","scoring_elements":"0.89759","published_at":"2026-06-07T12:55:00Z"},{"value":"0.04874","scoring_system":"epss","scoring_elements":"0.89775","published_at":"2026-06-09T12:55:00Z"},{"value":"0.04874","scoring_system":"epss","scoring_elements":"0.89761","published_at":"2026-06-06T12:55:00Z"},{"value":"0.04874","scoring_system":"epss","scoring_elements":"0.8976","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1771340","reference_id":"1771340","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1771340"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-298.html","reference_id":"XSA-298","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-298.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-18425","XSA-298"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jffd-kaam-bqav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6004?format=json","vulnerability_id":"VCID-srmp-dqh8-gqgk","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11135.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11135.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11135","reference_id":"","reference_type":"","scores":[{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.55276","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.55277","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.55284","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.55275","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.55255","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.5522","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/12/11/1","reference_id":"1","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://www.openwall.com/lists/oss-security/2019/12/11/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1753062","reference_id":"1753062","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1753062"},{"reference_url":"https://seclists.org/bugtraq/2020/Jan/21","reference_id":"21","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://seclists.org/bugtraq/2020/Jan/21"},{"reference_url":"https://seclists.org/bugtraq/2019/Nov/26","reference_id":"26","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://seclists.org/bugtraq/2019/Nov/26"},{"reference_url":"https://seclists.org/bugtraq/2019/Dec/28","reference_id":"28","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://seclists.org/bugtraq/2019/Dec/28"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/12/10/3","reference_id":"3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://www.openwall.com/lists/oss-security/2019/12/10/3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/12/10/4","reference_id":"4","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://www.openwall.com/lists/oss-security/2019/12/10/4"},{"reference_url":"https://usn.ubuntu.com/4186-2/","reference_id":"4186-2","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://usn.ubuntu.com/4186-2/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.archlinux.org/ASA-201911-14","reference_id":"ASA-201911-14","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201911-14"},{"reference_url":"https://security.archlinux.org/AVG-1068","reference_id":"AVG-1068","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1068"},{"reference_url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us","reference_id":"display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us"},{"reference_url":"https://www.debian.org/security/2020/dsa-4602","reference_id":"dsa-4602","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://www.debian.org/security/2020/dsa-4602"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/","reference_id":"I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/"},{"reference_url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10306","reference_id":"index?page=content&id=SB10306","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10306"},{"reference_url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html","reference_id":"intel-sa-00270.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/","reference_id":"IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/"},{"reference_url":"https://support.f5.com/csp/article/K02912734?utm_source=f5support&amp%3Butm_medium=RSS","reference_id":"K02912734?utm_source=f5support&amp%3Butm_medium=RSS","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://support.f5.com/csp/article/K02912734?utm_source=f5support&amp%3Butm_medium=RSS"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00035.html","reference_id":"msg00035.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00035.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00042.html","reference_id":"msg00042.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00042.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00045.html","reference_id":"msg00045.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00045.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00046.html","reference_id":"msg00046.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00046.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3832","reference_id":"RHSA-2019:3832","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3832"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3833","reference_id":"RHSA-2019:3833","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3833"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3834","reference_id":"RHSA-2019:3834","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3834"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3835","reference_id":"RHSA-2019:3835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3835"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3836","reference_id":"RHSA-2019:3836","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3836"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3837","reference_id":"RHSA-2019:3837","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3837"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3838","reference_id":"RHSA-2019:3838","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3838"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3839","reference_id":"RHSA-2019:3839","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3839"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3840","reference_id":"RHSA-2019:3840","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3840"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3841","reference_id":"RHSA-2019:3841","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3841"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3842","reference_id":"RHSA-2019:3842","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3842"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3843","reference_id":"RHSA-2019:3843","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3843"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3844","reference_id":"RHSA-2019:3844","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3844"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3860","reference_id":"RHSA-2019:3860","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3860"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3936","reference_id":"RHSA-2019:3936","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:3936"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0026","reference_id":"RHSA-2020:0026","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0026"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0028","reference_id":"RHSA-2020:0028","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0028"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0204","reference_id":"RHSA-2020:0204","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0204"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0279","reference_id":"RHSA-2020:0279","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0279"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0366","reference_id":"RHSA-2020:0366","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0366"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0555","reference_id":"RHSA-2020:0555","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0555"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0666","reference_id":"RHSA-2020:0666","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0666"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0730","reference_id":"RHSA-2020:0730","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0730"},{"reference_url":"http://packetstormsecurity.com/files/155375/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html","reference_id":"Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:20:56Z/"}],"url":"http://packetstormsecurity.com/files/155375/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html"},{"reference_url":"https://usn.ubuntu.com/4182-1/","reference_id":"USN-4182-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4182-1/"},{"reference_url":"https://usn.ubuntu.com/4182-2/","reference_id":"USN-4182-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4182-2/"},{"reference_url":"https://usn.ubuntu.com/4183-1/","reference_id":"USN-4183-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4183-1/"},{"reference_url":"https://usn.ubuntu.com/4184-1/","reference_id":"USN-4184-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4184-1/"},{"reference_url":"https://usn.ubuntu.com/4185-1/","reference_id":"USN-4185-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4185-1/"},{"reference_url":"https://usn.ubuntu.com/4185-2/","reference_id":"USN-4185-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4185-2/"},{"reference_url":"https://usn.ubuntu.com/4187-1/","reference_id":"USN-4187-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4187-1/"},{"reference_url":"https://usn.ubuntu.com/4188-1/","reference_id":"USN-4188-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4188-1/"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-305.html","reference_id":"XSA-305","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-305.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-11135","XSA-305"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-srmp-dqh8-gqgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106383?format=json","vulnerability_id":"VCID-t156-ee63-e3e5","summary":"An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18424.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18424.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18424","reference_id":"","reference_type":"","scores":[{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30301","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30374","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30339","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.3031","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30279","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30295","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1767730","reference_id":"1767730","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1767730"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-302.html","reference_id":"XSA-302","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-302.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-18424","XSA-302"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t156-ee63-e3e5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106390?format=json","vulnerability_id":"VCID-tf48-tz1z-7bd8","summary":"An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19582.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19582.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19582","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28594","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28667","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28626","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28589","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28556","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28562","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778191","reference_id":"1778191","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1778191"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://security.gentoo.org/glsa/202003-56","reference_id":"GLSA-202003-56","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-56"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-307.html","reference_id":"XSA-307","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-307.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-19582","XSA-307"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tf48-tz1z-7bd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106381?format=json","vulnerability_id":"VCID-yvvz-9ekb-ebg4","summary":"An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18422.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18422.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18422","reference_id":"","reference_type":"","scores":[{"value":"0.03469","scoring_system":"epss","scoring_elements":"0.87757","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03469","scoring_system":"epss","scoring_elements":"0.87779","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03469","scoring_system":"epss","scoring_elements":"0.87781","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03469","scoring_system":"epss","scoring_elements":"0.87793","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19581"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19583"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1771442","reference_id":"1771442","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1771442"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944","reference_id":"947944","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947944"},{"reference_url":"https://xenbits.xen.org/xsa/advisory-303.html","reference_id":"XSA-303","reference_type":"","scores":[],"url":"https://xenbits.xen.org/xsa/advisory-303.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/411328?format=json","purl":"pkg:apk/alpine/xen@4.13.0-r0?arch=x86&distroversion=v3.11&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}],"aliases":["CVE-2019-18422","XSA-303"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yvvz-9ekb-ebg4"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/xen@4.13.0-r0%3Farch=x86&distroversion=v3.11&reponame=main"}