CVE-2017-7995

low

Published 2017-05-03 · Modified 2026-05-13

CVSS v3

3.8

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVSS v2

1.7

VIR risk

3.8

Description

Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL.

Predictions

Exploit likelihood

38%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-7995

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-7995.html

OS impact

OS	Version	Status	Fixed in
sles		affected
suse	11.0	affected
debian	bookworm	fixed	`4.3.0-1`
debian	bullseye	fixed	`4.3.0-1`
debian	forky	fixed	`4.3.0-1`
debian	sid	fixed	`4.3.0-1`
debian	trixie	fixed	`4.3.0-1`

Application impact

Vendor	Product	Versions
suse	manager	`2.1`
suse	manager_proxy	`2.1`
suse	openstack_cloud	`5`

References

CWEs

CWE-200

Verify integrity in audit chain (admin only). AS-IS.