CVE-2017-15591
CVE-2017-15591 is a medium-severity vulnerability in Xen with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.9
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Xen
- Published:
- Last modified:
Description
An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.
Frequently asked questions
- What is CVE-2017-15591?
- An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.
- How severe is CVE-2017-15591?
- CVE-2017-15591 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2017-15591 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-15591?
- CVE-2017-15591 primarily affects Xen. In total, 18 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-15591?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2017-15591 published?
- CVE-2017-15591 was published on 2017-10-18 and last updated on 2026-06-17.
References
Affected products (18)
- cpe:2.3:o:xen:xen:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.5.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.5.3:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.5.5:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.6.3:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.6.4:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.6.5:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.6.6:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.7.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.7.2:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.7.3:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.8.0:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.8.1:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:4.9.0:*:*:*:*:*:*:*
More vulnerabilities in Xen
- CVE-2017-10921 — Critical (CVSS 10.0): The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and…
- CVE-2017-10920 — Critical (CVSS 10.0): The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed…
- CVE-2017-10918 — Critical (CVSS 10.0): Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to…
- CVE-2017-10912 — Critical (CVSS 10.0): Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka…
- CVE-2015-8104 — Critical (CVSS 10.0): The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a…
- CVE-2018-12892 — Critical (CVSS 9.9): An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting up a SCSI…
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →