CVE Tools
Sign in

CVE-2023-46836

x86: BTC/SRSO fixes not fully effective

Published: Jan 5, 2024Updated: Nov 4, 2025 Sources: CVE List NVD BDUNVD-CWE-noinfo
NVD MITRE
4.7CVSSMEDIUM
EPSS Score
0.3%
Top 84.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.

CVSS Vector Breakdown

AV:LAC:HPR:LUI:NS:UC:HI:NA:N
Exploitability
AV:LAttack Vector
Local
AC:HAttack Complexity
High
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

NVD-CWE-noinfo

Affected Products

xenxen
On-prem
Cloud & SaaS / virtualization
XenXen
On-prem
Cloud & SaaS / virtualization
OpenSUSE LeapNovell Inc.
On-premOS
Operating Systems / linux-distro
SUSE Linux Enterprise Server for SAP ApplicationsNovell Inc.
On-premOS
Operating Systems / linux-distro
SUSE Linux Enterprise Software Development KitNovell Inc.
On-premDev Tool
DevTools & CI / build-test-tools
xenoss-projectGBCloud & SaaSaka xapi, qemu
novell inc.commercialUSOperating Systems
and 16 more affected products View all →

Exploitability

Official Patch Available
Workaround Available

References

https://xenbits.xenproject.org/xsa/advisory-446.html
xenbits.xenproject.org
http://xenbits.xen.org/xsa/advisory-446.html
xenbits.xen.org
https://security-tracker.debian.org/tracker/CVE-2023-46836
security-tracker.debian.org
and 3 more references View all →

Timeline

Published
Jan 5, 2024
Last Updated
Nov 4, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-46836 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows