CVE-2025-58151 (GCVE-0-2025-58151)

Vulnerability from cvelistv5 – Published: 2026-07-09 14:45 – Updated: 2026-07-09 15:41
VLAI
Title
varstored: TOCTOU issues with mapped guest memory
Summary
varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
XEN
Impacted products
Vendor Product Version
Xen varstored Affected: all
Create a notification for this product.
Date Public
2026-01-27 13:00
Credits
This issue was discovered by Teddy Astie of Vates.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-09T15:05:08.753Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/27/2"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-478.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58151",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T15:40:36.292177Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T15:41:25.431Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "varstored",
          "vendor": "Xen",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Teddy Astie of Vates."
        }
      ],
      "datePublic": "2026-01-27T13:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cpre\u003evarstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM.  It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler.  In a build of varstored using default settings, the attacker\ncan control an index used in a jump table.\u003c/pre\u003e"
            }
          ],
          "value": "varstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM.  It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler.  In a build of varstored using default settings, the attacker\ncan control an index used in a jump table."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T14:45:16.531Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xen.org/xsa/advisory-478.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "varstored: TOCTOU issues with mapped guest memory",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-58151",
    "datePublished": "2026-07-09T14:45:16.531Z",
    "dateReserved": "2025-08-26T06:48:41.444Z",
    "dateUpdated": "2026-07-09T15:41:25.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58151\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2026-07-09T16:16:33.817\",\"lastModified\":\"2026-07-09T17:16:56.770\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"varstored is a component of the Xapi toolstack handling UEFI Variables\\nfor a VM.  It has a communication path with OVMF inside the VM involving\\nmapping a buffer prepared by OVMF.\\n\\nWithin varstored, there were insufficient compiler barriers, creating\\nTOCTOU issues with data in the shared buffer.\\n\\nThe exact vulnerable behaviour depends on the code generated by the\\ncompiler.  In a build of varstored using default settings, the attacker\\ncan control an index used in a jump table.\"}],\"affected\":[{\"source\":\"security@xen.org\",\"affectedData\":[{\"vendor\":\"Xen\",\"product\":\"varstored\",\"defaultStatus\":\"unaffected\",\"platforms\":[\"Linux\"],\"versions\":[{\"version\":\"all\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@xen.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-09T15:40:36.292177Z\",\"id\":\"CVE-2025-58151\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@xen.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"}]}],\"references\":[{\"url\":\"https://xenbits.xen.org/xsa/advisory-478.html\",\"source\":\"security@xen.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/01/27/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://xenbits.xen.org/xsa/advisory-478.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/01/27/2\"}, {\"url\": \"http://xenbits.xen.org/xsa/advisory-478.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-07-09T15:05:08.753Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58151\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-09T15:40:36.292177Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-09T15:41:20.901Z\"}}], \"cna\": {\"title\": \"varstored: TOCTOU issues with mapped guest memory\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Teddy Astie of Vates.\"}], \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"varstored\", \"versions\": [{\"status\": \"affected\", \"version\": \"all\"}], \"platforms\": [\"Linux\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-01-27T13:00:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xen.org/xsa/advisory-478.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"varstored is a component of the Xapi toolstack handling UEFI Variables\\nfor a VM.  It has a communication path with OVMF inside the VM involving\\nmapping a buffer prepared by OVMF.\\n\\nWithin varstored, there were insufficient compiler barriers, creating\\nTOCTOU issues with data in the shared buffer.\\n\\nThe exact vulnerable behaviour depends on the code generated by the\\ncompiler.  In a build of varstored using default settings, the attacker\\ncan control an index used in a jump table.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cpre\u003evarstored is a component of the Xapi toolstack handling UEFI Variables\\nfor a VM.  It has a communication path with OVMF inside the VM involving\\nmapping a buffer prepared by OVMF.\\n\\nWithin varstored, there were insufficient compiler barriers, creating\\nTOCTOU issues with data in the shared buffer.\\n\\nThe exact vulnerable behaviour depends on the code generated by the\\ncompiler.  In a build of varstored using default settings, the attacker\\ncan control an index used in a jump table.\u003c/pre\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"CWE-367 Time-of-check time-of-use (TOCTOU) race condition\"}]}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2026-07-09T14:45:16.531Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58151\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-09T15:41:25.431Z\", \"dateReserved\": \"2025-08-26T06:48:41.444Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2026-07-09T14:45:16.531Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…