The Xen Project has disclosed details of a critical flaw that could be used by hackers to crash servers hosting virtual machines.
Details about the threat were revealed in a blog post, following suggestions that Xen customers were under threat.
The speculation began after high-profile customers Amazon and Rackspace temporarily shut down parts of their services to perform unspecified "security updates and maintenance".
Xen is a free, open-source hypervisor that is widely used by cloud computing providers and virtual private server hosting companies to create and run virtual machines.
The flaw, listed by Xen as XSA-108, is serious as it could be used by hackers to crash servers and steal data.
"XSA-108 was caused by a bug in the emulation code used when running HVM guests on x86 processors. The bug allows an attacker with elevated guest OS privileges to crash the host or to read up to three KiB of random memory that might not be assigned to the guest," read the advisory.
"The memory could contain confidential information if it is assigned to a different guest or the hypervisor."
Xen released a patch under a non-disclosure agreement to customers last week in a bid to let them plug the flaw without alerting criminal hackers to it.
The Xen Project listed the successful deployment of the patch as proof of the effectiveness of private disclosure policies, although it still remains unclear how many users have installed it.
"[We] encourage people who find security issues to report them in private, [to] enable software vendors who distribute Xen Project software, public cloud and hosting providers and large scale users of Xen Project Software to address an issue in private such that risk of exposure to their users is minimised," argued the project.
"We believe that the process has been working well, as it did for XSA-108. Several cloud providers updated their servers, something that they decided was necessary in this case to best ensure their users were not put at risk. Most likely smaller vendors have done the same."
Responsible vulnerability disclosure is an ongoing matter of debate in the technology community. Google announced a wave of reforms to its Chrome Bug Bounty Programme's submission policy on 1 October designed to make it easier for hunters.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches