Refine your search
225 vulnerabilities found for xen by Xen
CERTFR-2026-AVI-0347
Vulnerability from certfr_avis
Une vulnérabilité a été découverte dans Xen. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen sur Linux sans les correctifs de s\u00e9curit\u00e9 xsa482-linux-1.patch et xsa482-linux-2.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-31788",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31788"
}
],
"initial_release_date": "2026-03-24T00:00:00",
"last_revision_date": "2026-03-24T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0347",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-24T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Xen. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Vuln\u00e9rabilit\u00e9 dans Xen",
"vendor_advisories": [
{
"published_at": "2026-03-24",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-482",
"url": "https://xenbits.xen.org/xsa/advisory-482.html"
}
]
}
CERTFR-2026-AVI-0304
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Xen. Elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions 4.17.x sans le correctif de s\u00e9curit\u00e9 xsa480.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.18.x sans le correctif de s\u00e9curit\u00e9 xsa481.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23554",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23554"
},
{
"name": "CVE-2026-23555",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23555"
}
],
"initial_release_date": "2026-03-17T00:00:00",
"last_revision_date": "2026-03-17T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0304",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-480",
"url": "https://xenbits.xen.org/xsa/advisory-480.html"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-481",
"url": "https://xenbits.xen.org/xsa/advisory-481.html"
}
]
}
CERTFR-2026-AVI-0091
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Xen. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| XEN | Xen | Xen versions xen-unstable sans les correctifs de sécurité xsa477.patch et xsa479.patch | ||
| XEN | Xen | Xen versions 4.18.x sans les correctifs de sécurité xsa477-4.18.patch et xsa479.patch | ||
| XEN | Xen | Xen versions 4.19.x sans le correctif de securité xsa477.patch | ||
| XEN | Xen | Xen version varstored master sans le correctif de sécurité xsa478.patch |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions xen-unstable sans les correctifs de s\u00e9curit\u00e9 xsa477.patch et xsa479.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.18.x sans les correctifs de s\u00e9curit\u00e9 xsa477-4.18.patch et xsa479.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.19.x sans le correctif de securit\u00e9 xsa477.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen version varstored master sans le correctif de s\u00e9curit\u00e9 xsa478.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-23553",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23553"
},
{
"name": "CVE-2025-58151",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58151"
},
{
"name": "CVE-2025-58150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58150"
}
],
"initial_release_date": "2026-01-27T00:00:00",
"last_revision_date": "2026-01-27T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0091",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-27T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2026-01-27",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-477",
"url": "https://xenbits.xen.org/xsa/advisory-477.html"
},
{
"published_at": "2026-01-27",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-478",
"url": "https://xenbits.xen.org/xsa/advisory-478.html"
},
{
"published_at": "2026-01-27",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-479",
"url": "https://xenbits.xen.org/xsa/advisory-479.html"
}
]
}
CERTFR-2025-AVI-0927
Vulnerability from certfr_avis
Une vulnérabilité a été découverte dans Xen. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions xen-unstable sans le correctif de s\u00e9curit\u00e9 xsa476.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.x ant\u00e9rieures \u00e0 4.17 avec le correctif de s\u00e9curit\u00e9 xsa476-4.17.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.18.x \u00e0 4.20.x sans le correctif de s\u00e9curit\u00e9 xsa476-4.20.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-58149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58149"
}
],
"initial_release_date": "2025-10-27T00:00:00",
"last_revision_date": "2025-10-27T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0927",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Xen. Elle permet \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Vuln\u00e9rabilit\u00e9 dans Xen",
"vendor_advisories": [
{
"published_at": "2025-10-24",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-476",
"url": "https://xenbits.xen.org/xsa/advisory-476.html"
}
]
}
CERTFR-2025-AVI-0902
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Xen. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions 4.20.x sans les correctifs xsa475-1.patch et xsa475-2.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.17.x, 4.18.x et 4.19.x sans les correctifs xsa475-4.19-1.patch et xsa475-4.19-2.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-58147",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58147"
},
{
"name": "CVE-2025-58148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58148"
}
],
"initial_release_date": "2025-10-22T00:00:00",
"last_revision_date": "2025-10-22T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0902",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-22T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2025-10-21",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-475",
"url": "https://xenbits.xen.org/xsa/advisory-475.html"
}
]
}
CERTFR-2025-AVI-0771
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Xen. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions 4.19.x sans le correctif xsa473-?.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.17.x sans les correctifs xsa472-?.patch et xsa473-4.18-?.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Xen versions 4.18.x sans le correctif xsa473-4.18-?.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "XAPI sans le correctif xsa474.patch ",
"product": {
"name": "N/A",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-27466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27466"
},
{
"name": "CVE-2025-58142",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58142"
},
{
"name": "CVE-2025-58145",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58145"
},
{
"name": "CVE-2025-58144",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58144"
},
{
"name": "CVE-2025-58146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58146"
},
{
"name": "CVE-2025-58143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58143"
}
],
"initial_release_date": "2025-09-10T00:00:00",
"last_revision_date": "2025-09-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0771",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-09-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2025-09-09",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-473",
"url": "https://xenbits.xen.org/xsa/advisory-473.html"
},
{
"published_at": "2025-09-09",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-472",
"url": "https://xenbits.xen.org/xsa/advisory-472.html"
},
{
"published_at": "2025-09-09",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-474",
"url": "https://xenbits.xen.org/xsa/advisory-474.html"
}
]
}
CERTFR-2025-AVI-0571
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Xen. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen toutes versions sans le dernier correctif de s\u00e9curit\u00e9 s\u0027ex\u00e9cutant sur les processeurs AMD de type Fam19h",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-36357",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36357"
},
{
"name": "CVE-2024-36350",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36350"
}
],
"initial_release_date": "2025-07-09T00:00:00",
"last_revision_date": "2025-07-09T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0571",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-471",
"url": "https://xenbits.xen.org/xsa/advisory-471.html"
}
]
}
CERTFR-2025-AVI-0551
Vulnerability from certfr_avis
Une vulnérabilité a été découverte dans Xen. Elle permet à un attaquant de provoquer un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions post\u00e9rieures \u00e0 4.9.x sans les correctifs de s\u00e9curit\u00e9 xsa470.patch et xsa470-4.17.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-27465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27465"
}
],
"initial_release_date": "2025-07-02T00:00:00",
"last_revision_date": "2025-07-02T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0551",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-02T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Xen. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
"title": "Vuln\u00e9rabilit\u00e9 dans Xen",
"vendor_advisories": [
{
"published_at": "2025-07-01",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-470",
"url": "https://xenbits.xen.org/xsa/advisory-470.html"
}
]
}
CERTFR-2025-AVI-0456
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Citrix et Xen. Elles permettent à un attaquant de provoquer une élévation de privilèges.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| XEN | Xen | Windows xeniface sans le correctif de sécurité xsa468/xeniface-0x.patch | ||
| XEN | Xen | Windows xencons sans le correctif de sécurité xsa468/xencons-0x.patch | ||
| Citrix | XenServer | XenServer VM Tools versions antérieures à 9.4.1 pour Windows | ||
| XEN | Xen | Windows xenbus sans le correctif de sécurité xsa468/xenbus-01.patch |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Windows xeniface sans le correctif de s\u00e9curit\u00e9 xsa468/xeniface-0x.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "Windows xencons sans le correctif de s\u00e9curit\u00e9 xsa468/xencons-0x.patch ",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
},
{
"description": "XenServer VM Tools versions ant\u00e9rieures \u00e0 9.4.1 pour Windows",
"product": {
"name": "XenServer",
"vendor": {
"name": "Citrix",
"scada": false
}
}
},
{
"description": "Windows xenbus sans le correctif de s\u00e9curit\u00e9 xsa468/xenbus-01.patch",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-27464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27464"
},
{
"name": "CVE-2025-27463",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27463"
},
{
"name": "CVE-2025-27462",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27462"
}
],
"initial_release_date": "2025-05-28T00:00:00",
"last_revision_date": "2025-05-28T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0456",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-05-28T00:00:00.000000"
}
],
"risks": [
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Citrix et Xen. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Citrix et Xen",
"vendor_advisories": [
{
"published_at": "2025-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-468",
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
},
{
"published_at": "2025-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 Citrix CTX692748",
"url": "https://support.citrix.com/s/article/CTX692748-xenserver-and-citrix-hypervisor-security-update-for-cve202527462-cve202527463-cve202527464"
}
]
}
CERTFR-2025-AVI-0391
Vulnerability from certfr_avis
Une vulnérabilité a été découverte dans Xen. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen toutes versions sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28956"
}
],
"initial_release_date": "2025-05-13T00:00:00",
"last_revision_date": "2025-05-13T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0391",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-05-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Xen. Elle permet \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Vuln\u00e9rabilit\u00e9 dans Xen",
"vendor_advisories": [
{
"published_at": "2025-05-12",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-469",
"url": "https://xenbits.xen.org/xsa/advisory-469.html"
}
]
}
CERTFR-2025-AVI-0165
Vulnerability from certfr_avis
Une vulnérabilité a été découverte dans Xen. Elle permet à un attaquant de provoquer un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions 4.x ant\u00e9rieures \u00e0 4.17.x sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-1713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1713"
}
],
"initial_release_date": "2025-02-28T00:00:00",
"last_revision_date": "2025-02-28T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0165",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-28T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Xen. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
"title": "Vuln\u00e9rabilit\u00e9 dans Xen",
"vendor_advisories": [
{
"published_at": "2025-02-27",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-467",
"url": "https://xenbits.xen.org/xsa/advisory-467.html"
}
]
}
CERTFR-2024-AVI-1093
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans XEN. Elles permettent à un attaquant de provoquer un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen toutes versions sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-53241",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53241"
},
{
"name": "CVE-2024-53240",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53240"
}
],
"initial_release_date": "2024-12-18T00:00:00",
"last_revision_date": "2024-12-18T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1093",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-12-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans XEN. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 XEN XSA-466",
"url": "https://xenbits.xen.org/xsa/advisory-466.html"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 Xen XSA-465",
"url": "https://xenbits.xen.org/xsa/advisory-465.html"
}
]
}
CERTFR-2024-AVI-0963
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Xen. Elles permettent à un attaquant de provoquer un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Xen versions 4.6.x \u00e0 4.19.x sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Xen",
"vendor": {
"name": "XEN",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-45818",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45818"
},
{
"name": "CVE-2024-45819",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45819"
}
],
"initial_release_date": "2024-11-12T00:00:00",
"last_revision_date": "2024-11-12T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0963",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-11-12T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Xen. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Xen",
"vendor_advisories": [
{
"published_at": "2024-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-464",
"url": "https://xenbits.xen.org/xsa/advisory-464.html"
},
{
"published_at": "2024-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Xen xsa/advisory-463",
"url": "https://xenbits.xen.org/xsa/advisory-463.html"
}
]
}
CVE-2026-23555 (GCVE-0-2026-23555)
Vulnerability from cvelistv5
Published
2026-03-23 06:57
Modified
2026-03-23 14:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Any guest issuing a Xenstore command accessing a node using the
(illegal) node path "/local/domain/", will crash xenstored due to a
clobbered error indicator in xenstored when verifying the node path.
Note that the crash is forced via a failing assert() statement in
xenstored. In case xenstored is being built with NDEBUG #defined,
an unprivileged guest trying to access the node path "/local/domain/"
will result in it no longer being serviced by xenstored, other guests
(including dom0) will still be serviced, but xenstored will use up
all cpu time it can get.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-23T07:32:28.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/17/7"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-481.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23555",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T14:11:41.150968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:14:02.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-481"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to\nXen 4.17 are not vulnerable.\n\nSystems using the C variant of xenstored are vulnerable. Systems using\nxenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not\nvulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Marek Marczykowski-G\u00f3reckiof\nInvisible Things Lab."
}
],
"datePublic": "2026-03-17T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Any unprivileged domain can cause xenstored to crash, causing a\nDoS (denial of service) for any Xenstore action. This will result\nin an inability to perform further domain administration on the host.\n\nIn case xenstored has been built with NDEBUG defined, an unprivileged\ndomain can force xenstored to be 100% busy, but without harming\nxenstored functionality for other guests otherwise."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T06:57:07.653Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-481.html"
}
],
"title": "Xenstored DoS by unprivileged domain",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation available."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23555",
"datePublished": "2026-03-23T06:57:07.653Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-03-23T14:14:02.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23554 (GCVE-0-2026-23554)
Vulnerability from cvelistv5
Published
2026-03-23 06:56
Modified
2026-03-23 14:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only issue a single flush.
Freeing of paging structures however is not deferred until the flushing is
done, and can result in freed pages transiently being present in cached state.
Such stale entries can point to memory ranges not owned by the guest, thus
allowing access to unintended memory regions.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-23T07:32:25.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-480.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T14:18:54.774466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:19:27.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-480"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.17 and onwards are vulnerable. Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2026-03-17T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T06:56:52.344Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-480.html"
}
],
"title": "Use after free of paging structures in EPT",
"workarounds": [
{
"lang": "en",
"value": "There are no mitigations."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23554",
"datePublished": "2026-03-23T06:56:52.344Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-03-23T14:19:27.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23553 (GCVE-0-2026-23553)
Vulnerability from cvelistv5
Published
2026-01-28 15:33
Modified
2026-01-28 16:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the context switch logic Xen attempts to skip an IBPB in the case of
a vCPU returning to a CPU on which it was the previous vCPU to run.
While safe for Xen's isolation between vCPUs, this prevents the guest
kernel correctly isolating between tasks. Consider:
1) vCPU runs on CPU A, running task 1.
2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.
3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.
4) vCPU moves back to CPU A. Xen skips IBPB again.
Now, task 2 is running on CPU A with task 1's training still in the BTB.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-28T16:12:31.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/3"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-479.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:40:38.385640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:41:14.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-479"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions which had the XSA-254 fixes backported are vulnerable.\nUpstream, that is 4.6 and newer.\n\nOnly x86 systems are vulnerable. Arm systems are not vulerable.\n\nSystems vulnerable to SRSO (see XSA-434) with default settings use\nIBPB-on-entry to protect against SRSO. This is a rather more aggressive\nform of flushing than only on context switch, and is believed to be\nsufficient to avoid the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by David Kaplan of AMD."
}
],
"datePublic": "2026-01-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks. Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A. Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Guest processes may leverage information leaks to obtain information\nintended to be private to other entities in a guest."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:33:44.782Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-479.html"
}
],
"title": "x86: incomplete IBPB for vCPU isolation",
"workarounds": [
{
"lang": "en",
"value": "Using \"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\" on the Xen command line\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\nit is a large overhead."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23553",
"datePublished": "2026-01-28T15:33:44.782Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-01-28T16:41:14.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58150 (GCVE-0-2025-58150)
Vulnerability from cvelistv5
Published
2026-01-28 15:33
Modified
2026-01-28 16:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Shadow mode tracing code uses a set of per-CPU variables to avoid
cumbersome parameter passing. Some of these variables are written to
with guest controlled data, of guest controllable size. That size can
be larger than the variable, and bounding of the writes was missing.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-28T16:11:53.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-477.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:44:38.812623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:46:04.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-477"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Only x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly HVM guests running in shadow paging mode and with tracing enabled\ncan leverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2026-01-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing. Some of these variables are written to\nwith guest controlled data, of guest controllable size. That size can\nbe larger than the variable, and bounding of the writes was missing."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The exact effects depend on what\u0027s adjacent to the variables in\nquestion. The most likely effects are bogus trace data, but none of\nprivilege escalation, information leaks, or Denial of Service (DoS) can\nbe excluded without detailed analysis of the particular build of Xen."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:33:17.316Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-477.html"
}
],
"title": "x86: buffer overrun with shadow paging + tracing",
"workarounds": [
{
"lang": "en",
"value": "Running HVM guests in HAP mode only will avoid the vulnerability.\n\nNot enabling tracing will also avoid the vulnerability. Tracing is\nenabled by the \"tbuf_size=\" command line option, or by running tools\nlike xentrace or xenbaked in Dom0. Note that on a running system\nstopping xentrace / xenbaked would disable tracing. For xentrace,\nhowever, this additionally requires that it wasn\u0027t started with the -x\noption. Stopping previously enabled tracing can of course only prevent\nfuture damage; prior damage may have occurred and may manifest only\nlater."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58150",
"datePublished": "2026-01-28T15:33:17.316Z",
"dateReserved": "2025-08-26T06:48:41.444Z",
"dateUpdated": "2026-01-28T16:46:04.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58149 (GCVE-0-2025-58149)
Vulnerability from cvelistv5
Published
2025-10-31 11:50
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
When passing through PCI devices, the detach logic in libxl won't remove
access permissions to any 64bit memory BARs the device might have. As a
result a domain can still have access any 64bit memory BAR when such
device is no longer assigned to the domain.
For PV domains the permission leak allows the domain itself to map the memory
in the page-tables. For HVM it would require a compromised device model or
stubdomain to map the leaked memory into the HVM domain p2m.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:24:29.854834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:24:43.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:31.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-476.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/24/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-476"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.0 and newer are vulnerable.\n\nOnly PV guests with PCI passthrough devices can leverage the vulnerability.\n\nOnly domains whose PCI devices are managed by the libxl library are affected.\nThis includes the xl toolstack and xapi, which uses the xl toolstack when\ndealing with PCI devices.\n\nHVM guests are also affected, but accessing the leaked memory requires an\nadditional compromised component on the system."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jiqian Chen of AMD and diagnosed as a\nsecurity issue by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-10-24T12:13:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When passing through PCI devices, the detach logic in libxl won\u0027t remove\naccess permissions to any 64bit memory BARs the device might have. As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables. For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious PV guest can access memory of PCI devices no longer\nassigned to it."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:39.536Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-476.html"
}
],
"title": "Incorrect removal of permissions on PCI device unplug",
"workarounds": [
{
"lang": "en",
"value": "Not doing hot unplug of PCI devices will avoid the vulnerability.\n\nPassing through PCI devices to HVM domains only will also limit the impact, as\nan attacker would require another compromised component to exploit it."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58149",
"datePublished": "2025-10-31T11:50:39.536Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:31.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58148 (GCVE-0-2025-58148)
Vulnerability from cvelistv5
Published
2025-10-31 11:50
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.
* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.
* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:25:18.838278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:25:21.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:30.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-475.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-475"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.15 and newer are vulnerable. Versions 4.14 and older are\nnot vulnerable.\n\nOnly x86 HVM guests which have Viridian enabled can leverage the\nvulnerability.\n\nWith the `xl` toolstack, this means any `viridian=` setting in the VM\u0027s\nconfiguration file.\n\nNote - despite:\n\n `viridian=[\"!hcall_remote_tlb_flush\", \"!hcall_ipi\", \"!ex_processor_masks\"]`\n\nbeing documented to turns off the relevant functionality, this\nconfiguration does not block the relevant hypercalls."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates"
}
],
"datePublic": "2025-10-21T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen\u0027s format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d-\u003evcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious guest can cause Denial of Service (DoS) affecting\nthe entire host, information leaks, or elevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:28.407Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-475.html"
}
],
"title": "x86: Incorrect input sanitisation in Viridian hypercalls",
"workarounds": [
{
"lang": "en",
"value": "Not enabling Viridian will avoid the issuse."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58148",
"datePublished": "2025-10-31T11:50:28.407Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:30.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58147 (GCVE-0-2025-58147)
Vulnerability from cvelistv5
Published
2025-10-31 11:50
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.
* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.
* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T17:45:24.503747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T17:45:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:28.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-475.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-475"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.15 and newer are vulnerable. Versions 4.14 and older are\nnot vulnerable.\n\nOnly x86 HVM guests which have Viridian enabled can leverage the\nvulnerability.\n\nWith the `xl` toolstack, this means any `viridian=` setting in the VM\u0027s\nconfiguration file.\n\nNote - despite:\n\n `viridian=[\"!hcall_remote_tlb_flush\", \"!hcall_ipi\", \"!ex_processor_masks\"]`\n\nbeing documented to turns off the relevant functionality, this\nconfiguration does not block the relevant hypercalls."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates"
}
],
"datePublic": "2025-10-21T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen\u0027s format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d-\u003evcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious guest can cause Denial of Service (DoS) affecting\nthe entire host, information leaks, or elevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:28.282Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-475.html"
}
],
"title": "x86: Incorrect input sanitisation in Viridian hypercalls",
"workarounds": [
{
"lang": "en",
"value": "Not enabling Viridian will avoid the issuse."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58147",
"datePublished": "2025-10-31T11:50:28.282Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:28.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58145 (GCVE-0-2025-58145)
Vulnerability from cvelistv5
Published
2025-09-11 14:05
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:39:37.372975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:39:41.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:27.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-473.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-473"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected. x86 systems are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling. A NULL pointer de-reference could result on a release\nbuild. This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed). Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated. This is CVE-2025-58145."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host. Privilege escalation and information\nleaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:36.380Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
}
],
"title": "Arm issues with page refcounting",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58145",
"datePublished": "2025-09-11T14:05:36.380Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:27.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58144 (GCVE-0-2025-58144)
Vulnerability from cvelistv5
Published
2025-09-11 14:05
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:18:50.824988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:38:26.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:26.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-473.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-473"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected. x86 systems are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling. A NULL pointer de-reference could result on a release\nbuild. This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed). Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated. This is CVE-2025-58145."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host. Privilege escalation and information\nleaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:36.284Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
}
],
"title": "Arm issues with page refcounting",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58144",
"datePublished": "2025-09-11T14:05:36.284Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:26.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58143 (GCVE-0-2025-58143)
Vulnerability from cvelistv5
Published
2025-09-11 14:05
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:21:09.042615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-366",
"description": "CWE-366 Race Condition within a Thread",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:41:56.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:24.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.729Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58143",
"datePublished": "2025-09-11T14:05:29.729Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:24.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58142 (GCVE-0-2025-58142)
Vulnerability from cvelistv5
Published
2025-09-11 14:05
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:24:28.317871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-395",
"description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:41:07.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:23.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.649Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58142",
"datePublished": "2025-09-11T14:05:29.649Z",
"dateReserved": "2025-08-26T06:48:41.442Z",
"dateUpdated": "2025-11-04T21:13:23.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27466 (GCVE-0-2025-27466)
Vulnerability from cvelistv5
Published
2025-09-11 14:05
Modified
2025-11-04 21:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:25:53.637084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-395",
"description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:40:33.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:51.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.525Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27466",
"datePublished": "2025-09-11T14:05:29.525Z",
"dateReserved": "2025-02-26T09:16:54.462Z",
"dateUpdated": "2025-11-04T21:09:51.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1713 (GCVE-0-2025-1713)
Vulnerability from cvelistv5
Published
2025-07-17 13:59
Modified
2025-07-17 14:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-07-17T14:04:25.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-467.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/28/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-1713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:17:20.052947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-833",
"description": "CWE-833 Deadlock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:21:42.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-467"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.0 and later are affected. Xen versions 3.4 and earlier\nare not directly affected, but had other issues.\n\nSystems with Intel IOMMU hardware (VT-d) are affected. Systems using\nAMD or non-x86 hardware are not affected.\n\nOnly systems where certain kinds of devices are passed through to an\nunprivileged guest are vulnerable."
}
],
"datePublic": "2025-02-27T12:52:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When setting up interrupt remapping for legacy PCI(-X) devices,\nincluding PCI(-X) bridges, a lookup of the upstream bridge is required.\nThis lookup, itself involving acquiring of a lock, is done in a context\nwhere acquiring that lock is unsafe. This can lead to a deadlock."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The passing through of certain kinds of devices to an unprivileged guest\ncan result in a Denial of Service (DoS) affecting the entire host.\n\nNote: Normal usage of such devices by a privileged domain can also\n trigger the issue. In such a scenario, the deadlock is not\n considered a security issue, but just a plain bug."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T13:59:46.231Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-467.html"
}
],
"title": "deadlock potential with VT-d and legacy PCI device pass-through",
"workarounds": [
{
"lang": "en",
"value": "Avoiding the passing through of the affected device types will avoid\nthe vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-1713",
"datePublished": "2025-07-17T13:59:46.231Z",
"dateReserved": "2025-02-26T09:04:42.837Z",
"dateUpdated": "2025-07-17T14:21:42.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27465 (GCVE-0-2025-27465)
Vulnerability from cvelistv5
Published
2025-07-16 09:08
Modified
2025-11-04 21:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Certain instructions need intercepting and emulating by Xen. In some
cases Xen emulates the instruction by replaying it, using an executable
stub. Some instructions may raise an exception, which is supposed to be
handled gracefully. Certain replayed instructions have additional logic
to set up and recover the changes to the arithmetic flags.
For replayed instructions where the flags recovery logic is used, the
metadata for exception handling was incorrect, preventing Xen from
handling the the exception gracefully, treating it as fatal instead.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T20:46:06.289437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T15:00:57.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:50.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-470.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/01/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-470"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.9 and onwards are vulnerable. Xen 4.8 and older are not\nvulnerable.\n\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\n\nOnly HVM or PVH guests can leverage the vulnerability. PV guests cannot\nleverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of XenServer."
}
],
"datePublic": "2025-07-01T11:56:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Certain instructions need intercepting and emulating by Xen. In some\ncases Xen emulates the instruction by replaying it, using an executable\nstub. Some instructions may raise an exception, which is supposed to be\nhandled gracefully. Certain replayed instructions have additional logic\nto set up and recover the changes to the arithmetic flags.\n\nFor replayed instructions where the flags recovery logic is used, the\nmetadata for exception handling was incorrect, preventing Xen from\nhandling the the exception gracefully, treating it as fatal instead."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T09:08:39.931Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-470.html"
}
],
"title": "x86: Incorrect stubs exception handling for flags recovery",
"workarounds": [
{
"lang": "en",
"value": "There are no mitigations."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27465",
"datePublished": "2025-07-16T09:08:39.931Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2025-11-04T21:09:50.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2201 (GCVE-0-2024-2201)
Vulnerability from cvelistv5
Published
2024-12-19 20:28
Modified
2025-01-09 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:51:54.984364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T16:40:32.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "See advisory \"x86: Native Branch History Injection\""
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1423",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T20:29:32.134Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/155143"
},
{
"url": "https://github.com/vusec/inspectre-gadget?tab=readme-ov-file"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/15"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/07/7"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-456.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QKNCPX7CJUK4I6BRGABAUQK2DMQZUCA/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5OK6MH75S7YWD34EWW7QIZTS627RIE3/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYAZ7P6YFJ2E3FHKAGIKHWS46KYMMTZH/"
},
{
"url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.htm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-2201",
"x_generator": {
"engine": "VINCE 3.0.11",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2024-2201"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2024-2201",
"datePublished": "2024-12-19T20:28:31.596Z",
"dateReserved": "2024-03-05T19:12:39.649Z",
"dateUpdated": "2025-01-09T16:40:32.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45819 (GCVE-0-2024-45819)
Vulnerability from cvelistv5
Published
2024-12-19 12:00
Modified
2024-12-31 18:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
PVH guests have their ACPI tables constructed by the toolstack. The
construction involves building the tables in local memory, which are
then copied into guest memory. While actually used parts of the local
memory are filled in correctly, excess space that is being allocated is
left with its prior contents.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-19T12:04:50.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-464.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/10"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:56:31.915960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T18:57:41.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-464"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.8 and onwards are vulnerable. Xen 4.7 and older are not\nvulnerable.\n\nOnly x86 systems running PVH guests are vulnerable. Architectures other\nthan x86 are not vulnerable.\n\nOnly PVH guests can leverage the vulnerability. HVM and PV guests\ncannot leverage the vulnerability. Note that PV guests when run inside\nthe (PVH) shim can\u0027t leverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jason Andryuk of AMD."
}
],
"datePublic": "2024-11-12T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PVH guests have their ACPI tables constructed by the toolstack. The\nconstruction involves building the tables in local memory, which are\nthen copied into guest memory. While actually used parts of the local\nmemory are filled in correctly, excess space that is being allocated is\nleft with its prior contents."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest may be able to access sensitive information\npertaining to the host, control domain, or other guests."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T12:00:50.271Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-464.html"
}
],
"title": "libxl leaks data to PVH guests via ACPI tables",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or HVM guests will avoid this vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-45819",
"datePublished": "2024-12-19T12:00:50.271Z",
"dateReserved": "2024-09-09T14:43:11.826Z",
"dateUpdated": "2024-12-31T18:57:41.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45818 (GCVE-0-2024-45818)
Vulnerability from cvelistv5
Published
2024-12-19 12:00
Modified
2024-12-31 19:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The hypervisor contains code to accelerate VGA memory accesses for HVM
guests, when the (virtual) VGA is in "standard" mode. Locking involved
there has an unusual discipline, leaving a lock acquired past the
return from the function that acquired it. This behavior results in a
problem when emulating an instruction with two memory accesses, both of
which touch VGA memory (plus some further constraints which aren't
relevant here). When emulating the 2nd access, the lock that is already
being held would be attempted to be re-acquired, resulting in a
deadlock.
This deadlock was already found when the code was first introduced, but
was analysed incorrectly and the fix was incomplete. Analysis in light
of the new finding cannot find a way to make the existing locking
discipline work.
In staging, this logic has all been removed because it was discovered
to be accidentally disabled since Xen 4.7. Therefore, we are fixing the
locking problem by backporting the removal of most of the feature. Note
that even with the feature disabled, the lock would still be acquired
for any accesses to the VGA MMIO region.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-19T12:04:41.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/2"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-463.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:59:24.741670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T19:01:43.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-463"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.6 through 4.19 are vulnerable. Staging (4.20 dev) is\nnot vulnerable; as noted above, the functionality was already removed\nprior to the discovery of this issue.\n\nOnly x86 systems running HVM guests are vulnerable. Architectures other\nthan x86 are not vulnerable.\n\nOnly HVM guests can leverage the vulnerability. PVH and PV guests\ncannot leverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Manuel Andreas of Technical University of\nMunich."
}
],
"datePublic": "2024-11-12T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The hypervisor contains code to accelerate VGA memory accesses for HVM\nguests, when the (virtual) VGA is in \"standard\" mode. Locking involved\nthere has an unusual discipline, leaving a lock acquired past the\nreturn from the function that acquired it. This behavior results in a\nproblem when emulating an instruction with two memory accesses, both of\nwhich touch VGA memory (plus some further constraints which aren\u0027t\nrelevant here). When emulating the 2nd access, the lock that is already\nbeing held would be attempted to be re-acquired, resulting in a\ndeadlock.\n\nThis deadlock was already found when the code was first introduced, but\nwas analysed incorrectly and the fix was incomplete. Analysis in light\nof the new finding cannot find a way to make the existing locking\ndiscipline work.\n\nIn staging, this logic has all been removed because it was discovered\nto be accidentally disabled since Xen 4.7. Therefore, we are fixing the\nlocking problem by backporting the removal of most of the feature. Note\nthat even with the feature disabled, the lock would still be acquired\nfor any accesses to the VGA MMIO region."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A (not necessarily malicious) HVM guest kernel can lock up the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T12:00:41.413Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-463.html"
}
],
"title": "Deadlock in x86 HVM standard VGA handling",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or PVH guests will avoid this vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-45818",
"datePublished": "2024-12-19T12:00:41.413Z",
"dateReserved": "2024-09-09T14:43:11.826Z",
"dateUpdated": "2024-12-31T19:01:43.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}