CVE-2016-9377 Xen CVE debrief

Who should care

Xen administrators, virtualization teams, and platform owners running affected Xen versions on AMD hardware without NRip should pay attention, especially where untrusted or multi-tenant HVM guests are allowed.

Technical summary

The NVD record identifies Xen versions 4.5.0 through 4.7.1 as vulnerable. On affected AMD systems without NRip, Xen’s emulation path for instructions that generate software interrupts can miscalculate an IDT entry, allowing a local HVM guest OS user to trigger a denial of service in the guest. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a local, low-complexity availability impact. The weakness is mapped to CWE-682 in the source data.

Defensive priority

Medium. This is a local-impact availability issue rather than a remote code execution flaw, but it can still disrupt guest workloads and should be prioritized on affected Xen/AMD deployments.

Recommended defensive actions

• Review the Xen security advisory XSA-196 and apply the vendor or distribution-fixed package for affected hosts.
• Confirm whether your AMD systems lack NRip support and inventory Xen hosts running 4.5.x through 4.7.x.
• Use the linked Gentoo GLSA as a reference point for downstream remediation guidance and package status.
• Validate that guest crash or hypervisor stability issues are not present after updating, using normal operational monitoring and incident procedures.

Evidence notes

The supplied NVD metadata states the affected product scope as Xen 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.5, 4.6.0, 4.6.1, 4.6.3, 4.6.4, 4.7.0, and 4.7.1. The CVE description adds the AMD-without-NRip condition and the local HVM guest-triggered guest crash behavior. Timing context: the CVE was published on 2017-02-22, and the NVD record was last modified on 2026-05-13; the modified date is a record-update date, not the vulnerability date.

Official resources