If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer. An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: Not vulnerable. This issue does not affect the versions of the xen package as shipped with Red Hat Enterprise Linux 5 as it does not provide support for the libxl toolstack. This issue does not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2.
External References: http://xenbits.xen.org/xsa/advisory-70.html
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1017843]