The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does not perform adequate checks on the input grant references. A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they control, with an invalid one allowing them to write abitrary values to hypervisor memory. This could potentially lead to a privilege escalation. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5. This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Now public via: http://seclists.org/oss-sec/2012/q3/382
Created xen tracking bugs for this issue Affects: fedora-all [bug 854595]