Alpine: multiple xen packages: security update to 4.7.0-r1

high Tenable Self-Hosted Container Security Plugin ID 424704

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to
gain host OS privileges via vectors related to L3 recursive pagetables. (CVE-2016-7092)

- Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and
consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during
emulation. (CVE-2016-7093)

- Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running
with shadow paging to cause a denial of service via a pagetable update. (CVE-2016-7094)

See Also

https://security.alpinelinux.org/vuln/CVE-2016-7092

https://security.alpinelinux.org/vuln/CVE-2016-7093

https://security.alpinelinux.org/vuln/CVE-2016-7094

Plugin Details

Severity: High

ID: 424704

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-7093

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/8/2016

Reference Information

CVE: CVE-2016-7092, CVE-2016-7093, CVE-2016-7094

BID: 92862, 92864, 92865

IAVA: 2016-A-0234-S

IAVB: 2016-B-0140-S