A large value in the TXCNT register to exceed the available memory on the device, this allows an attacker with root privileges in the guest to poke unexpected data into the device, which results in a complete compromise of the bochs process (see bx_ne2k_c::rx_frame(), where s.mem is 32768 bytes, and values up to 0xffff can be inserted into parameter iolen via the TXCNT register)
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Public via http://taviso.decsystem.org/virtsec.pdf note that NE2000 is not enabled by default, see http://lists.xensource.com/archives/html/xen-devel/2007-05/msg00021.html
Not vulnerable. This issue did not affect Xen as shipped with Red Hat Enterprise Linux 5.