CVE-2016-9816 Xen CVE debrief

Who should care

Teams operating Xen on ARM hardware, especially platform owners, virtualization administrators, and distro maintainers responsible for patching host hypervisors.

Technical summary

The NVD description states that Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2. NVD lists CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H and CWE-284. The supplied CPE criteria mark Xen 4.7.0 and 4.7.1 as vulnerable, and the reference set includes an oss-security mailing list discussion, Xen Security Advisory 201 (XSA-201), an accompanying patch, and a Gentoo GLSA entry.

Defensive priority

Medium priority: this is a host-denial-of-service vulnerability affecting Xen ARM deployments, so patching is important wherever affected versions are in use, but it is not listed as KEV in the supplied data.

Recommended defensive actions

• Identify Xen ARM hosts and confirm whether they run Xen 4.7.0 or 4.7.1, or another build covered by the vendor advisory.
• Apply the Xen Security Advisory 201 fix or a vendor-provided package update that incorporates the patch.
• Use distribution security advisories, such as the referenced Gentoo GLSA, to verify backported fixes for your platform.
• Treat the issue as a hypervisor availability risk and prioritize remediation on shared or production ARM virtualization hosts.
• After updating, validate the running Xen package/build version against your normal patch-management records.

Evidence notes

This debrief is based only on the supplied NVD record and its referenced vendor and community advisories. The CVE was published on 2017-02-27 and last modified on 2026-05-13 in the supplied data. The source description explicitly mentions a local ARM guest OS user causing a host crash through an asynchronous abort at EL2. The NVD metadata also supplies the severity vector, CWE-284 classification, and vulnerable CPE criteria for Xen 4.7.0 and 4.7.1.

Official resources