Vulnerability-Lookup

SUSE-SU-2026:0303-1

Vulnerability from csaf_suse - Published: 2026-01-27 16:14 - Updated: 2026-01-27 16:14

Summary

Security update for xen

Notes

Title of the patch

Security update for xen

Description of the patch

This update for xen fixes the following issues: Security fixes: - CVE-2025-58150: Fixed buffer overrun with shadow paging and tracing (XSA-477) (bsc#1256745) - CVE-2026-23553: Fixed incomplete IBPB for vCPU isolation (XSA-479) (bsc#1256747) - CVE-2025-58149: Fixed incorrect removal od permissions on PCI device unplug allow PV guests to access memory of devices no longer assigned to it (XSA-476) (bsc#1252692) - CVE-2025-27466, CVE-2025-58142, CVE-2025-58143: Fixed multiple vulnerabilities in the Viridian interface (XSA-472) (bsc#1248807) Other fixes: - Fixed virtxend service restart. Caused by a failure to start xenstored (bsc#1254180)

Patchnames

SUSE-2026-303,SUSE-SUSE-MicroOS-5.2-2026-303

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for xen",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for xen fixes the following issues:\n\nSecurity fixes:\n  \n- CVE-2025-58150: Fixed buffer overrun with shadow paging and \n  tracing (XSA-477) (bsc#1256745)\n- CVE-2026-23553: Fixed incomplete IBPB for vCPU isolation \n  (XSA-479) (bsc#1256747)\n- CVE-2025-58149: Fixed incorrect removal od permissions on PCI\n  device unplug allow PV guests to access memory of devices no \n  longer assigned to it (XSA-476) (bsc#1252692)\n- CVE-2025-27466, CVE-2025-58142, CVE-2025-58143: Fixed multiple\n  vulnerabilities in the Viridian interface (XSA-472) (bsc#1248807)\n\nOther fixes:\n\n- Fixed virtxend service restart. Caused by a failure to start \n  xenstored (bsc#1254180)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-303,SUSE-SUSE-MicroOS-5.2-2026-303",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0303-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:0303-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:0303-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023931.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1248807",
        "url": "https://bugzilla.suse.com/1248807"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1252692",
        "url": "https://bugzilla.suse.com/1252692"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1254180",
        "url": "https://bugzilla.suse.com/1254180"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256745",
        "url": "https://bugzilla.suse.com/1256745"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256747",
        "url": "https://bugzilla.suse.com/1256747"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-27466 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-27466/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58142 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58142/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58143 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58143/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58149 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58149/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58150 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58150/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-23553 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-23553/"
      }
    ],
    "title": "Security update for xen",
    "tracking": {
      "current_release_date": "2026-01-27T16:14:45Z",
      "generator": {
        "date": "2026-01-27T16:14:45Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:0303-1",
      "initial_release_date": "2026-01-27T16:14:45Z",
      "revision_history": [
        {
          "date": "2026-01-27T16:14:45Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xen-4.14.6_28-150300.3.94.1.aarch64",
                "product": {
                  "name": "xen-4.14.6_28-150300.3.94.1.aarch64",
                  "product_id": "xen-4.14.6_28-150300.3.94.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-devel-4.14.6_28-150300.3.94.1.aarch64",
                "product": {
                  "name": "xen-devel-4.14.6_28-150300.3.94.1.aarch64",
                  "product_id": "xen-devel-4.14.6_28-150300.3.94.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-doc-html-4.14.6_28-150300.3.94.1.aarch64",
                "product": {
                  "name": "xen-doc-html-4.14.6_28-150300.3.94.1.aarch64",
                  "product_id": "xen-doc-html-4.14.6_28-150300.3.94.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-libs-4.14.6_28-150300.3.94.1.aarch64",
                "product": {
                  "name": "xen-libs-4.14.6_28-150300.3.94.1.aarch64",
                  "product_id": "xen-libs-4.14.6_28-150300.3.94.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-tools-4.14.6_28-150300.3.94.1.aarch64",
                "product": {
                  "name": "xen-tools-4.14.6_28-150300.3.94.1.aarch64",
                  "product_id": "xen-tools-4.14.6_28-150300.3.94.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-tools-domU-4.14.6_28-150300.3.94.1.aarch64",
                "product": {
                  "name": "xen-tools-domU-4.14.6_28-150300.3.94.1.aarch64",
                  "product_id": "xen-tools-domU-4.14.6_28-150300.3.94.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xen-libs-64bit-4.14.6_28-150300.3.94.1.aarch64_ilp32",
                "product": {
                  "name": "xen-libs-64bit-4.14.6_28-150300.3.94.1.aarch64_ilp32",
                  "product_id": "xen-libs-64bit-4.14.6_28-150300.3.94.1.aarch64_ilp32"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64_ilp32"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xen-devel-4.14.6_28-150300.3.94.1.i586",
                "product": {
                  "name": "xen-devel-4.14.6_28-150300.3.94.1.i586",
                  "product_id": "xen-devel-4.14.6_28-150300.3.94.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "xen-libs-4.14.6_28-150300.3.94.1.i586",
                "product": {
                  "name": "xen-libs-4.14.6_28-150300.3.94.1.i586",
                  "product_id": "xen-libs-4.14.6_28-150300.3.94.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "xen-tools-domU-4.14.6_28-150300.3.94.1.i586",
                "product": {
                  "name": "xen-tools-domU-4.14.6_28-150300.3.94.1.i586",
                  "product_id": "xen-tools-domU-4.14.6_28-150300.3.94.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xen-tools-xendomains-wait-disk-4.14.6_28-150300.3.94.1.noarch",
                "product": {
                  "name": "xen-tools-xendomains-wait-disk-4.14.6_28-150300.3.94.1.noarch",
                  "product_id": "xen-tools-xendomains-wait-disk-4.14.6_28-150300.3.94.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xen-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-4.14.6_28-150300.3.94.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-devel-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-devel-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-devel-4.14.6_28-150300.3.94.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-doc-html-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-doc-html-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-doc-html-4.14.6_28-150300.3.94.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-libs-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-libs-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-libs-4.14.6_28-150300.3.94.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-libs-32bit-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-libs-32bit-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-libs-32bit-4.14.6_28-150300.3.94.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-tools-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-tools-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-tools-4.14.6_28-150300.3.94.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "xen-tools-domU-4.14.6_28-150300.3.94.1.x86_64",
                "product": {
                  "name": "xen-tools-domU-4.14.6_28-150300.3.94.1.x86_64",
                  "product_id": "xen-tools-domU-4.14.6_28-150300.3.94.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.2",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.2",
                  "product_id": "SUSE Linux Enterprise Micro 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-microos:5.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xen-libs-4.14.6_28-150300.3.94.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        },
        "product_reference": "xen-libs-4.14.6_28-150300.3.94.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-27466",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-27466"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-27466",
          "url": "https://www.suse.com/security/cve/CVE-2025-27466"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1248807 for CVE-2025-27466",
          "url": "https://bugzilla.suse.com/1248807"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T16:14:45Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-27466"
    },
    {
      "cve": "CVE-2025-58142",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58142"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58142",
          "url": "https://www.suse.com/security/cve/CVE-2025-58142"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1248807 for CVE-2025-58142",
          "url": "https://bugzilla.suse.com/1248807"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T16:14:45Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-58142"
    },
    {
      "cve": "CVE-2025-58143",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58143"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58143",
          "url": "https://www.suse.com/security/cve/CVE-2025-58143"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1248807 for CVE-2025-58143",
          "url": "https://bugzilla.suse.com/1248807"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T16:14:45Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-58143"
    },
    {
      "cve": "CVE-2025-58149",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58149"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When passing through PCI devices, the detach logic in libxl won\u0027t remove\naccess permissions to any 64bit memory BARs the device might have.  As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables.  For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58149",
          "url": "https://www.suse.com/security/cve/CVE-2025-58149"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1252692 for CVE-2025-58149",
          "url": "https://bugzilla.suse.com/1252692"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T16:14:45Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-58149"
    },
    {
      "cve": "CVE-2025-58150",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58150"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing.  Some of these variables are written to\nwith guest controlled data, of guest controllable size.  That size can\nbe larger than the variable, and bounding of the writes was missing.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58150",
          "url": "https://www.suse.com/security/cve/CVE-2025-58150"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256745 for CVE-2025-58150",
          "url": "https://bugzilla.suse.com/1256745"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T16:14:45Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-58150"
    },
    {
      "cve": "CVE-2026-23553",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-23553"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks.  Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-23553",
          "url": "https://www.suse.com/security/cve/CVE-2026-23553"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256747 for CVE-2026-23553",
          "url": "https://bugzilla.suse.com/1256747"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T16:14:45Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-23553"
    }
  ]
}

CVE-2025-27466 (GCVE-0-2025-27466)

Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:09

Title

Mutiple vulnerabilities in the Viridian interface

Summary

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-472.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-472

Credits

This issue was discovered by Roger Pau Monné of XenServer.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27466",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-11T14:25:53.637084Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-395",
                "description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-11T14:40:33.401Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:09:51.419Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://xenbits.xen.org/xsa/advisory-472.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-472"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions 4.13 and newer are vulnerable.  Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
        }
      ],
      "datePublic": "2025-09-09T11:53:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T14:05:29.525Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
        }
      ],
      "title": "Mutiple vulnerabilities in the Viridian interface",
      "workarounds": [
        {
          "lang": "en",
          "value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-27466",
    "datePublished": "2025-09-11T14:05:29.525Z",
    "dateReserved": "2025-02-26T09:16:54.462Z",
    "dateUpdated": "2025-11-04T21:09:51.419Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23553 (GCVE-0-2026-23553)

Vulnerability from cvelistv5 – Published: 2026-01-28 15:33 – Updated: 2026-01-28 16:41

Title

x86: incomplete IBPB for vCPU isolation

Summary

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Severity ?

2.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-665 - Improper Initialization
CWE-693 - Protection Mechanism Failure

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-479.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-479

Credits

This issue was discovered by David Kaplan of AMD.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:12:31.841Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/27/3"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-479.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.9,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T16:40:38.385640Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-665",
                "description": "CWE-665 Improper Initialization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-693",
                "description": "CWE-693 Protection Mechanism Failure",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:41:14.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-479"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions which had the XSA-254 fixes backported are vulnerable.\nUpstream, that is 4.6 and newer.\n\nOnly x86 systems are vulnerable.  Arm systems are not vulerable.\n\nSystems vulnerable to SRSO (see XSA-434) with default settings use\nIBPB-on-entry to protect against SRSO.  This is a rather more aggressive\nform of flushing than only on context switch, and is believed to be\nsufficient to avoid the vulnerability."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by David Kaplan of AMD."
        }
      ],
      "datePublic": "2026-01-27T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks.  Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Guest processes may leverage information leaks to obtain information\nintended to be private to other entities in a guest."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T15:33:44.782Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-479.html"
        }
      ],
      "title": "x86: incomplete IBPB for vCPU isolation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Using \"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\" on the Xen command line\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\nit is a large overhead."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2026-23553",
    "datePublished": "2026-01-28T15:33:44.782Z",
    "dateReserved": "2026-01-14T13:07:36.961Z",
    "dateUpdated": "2026-01-28T16:41:14.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58142 (GCVE-0-2025-58142)

Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13

Title

Mutiple vulnerabilities in the Viridian interface

Summary

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-472.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-472

Credits

This issue was discovered by Roger Pau Monné of XenServer.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-11T14:24:28.317871Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-395",
                "description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-11T14:41:07.805Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:23.610Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://xenbits.xen.org/xsa/advisory-472.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-472"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions 4.13 and newer are vulnerable.  Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
        }
      ],
      "datePublic": "2025-09-09T11:53:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T14:05:29.649Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
        }
      ],
      "title": "Mutiple vulnerabilities in the Viridian interface",
      "workarounds": [
        {
          "lang": "en",
          "value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-58142",
    "datePublished": "2025-09-11T14:05:29.649Z",
    "dateReserved": "2025-08-26T06:48:41.442Z",
    "dateUpdated": "2025-11-04T21:13:23.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58150 (GCVE-0-2025-58150)

Vulnerability from cvelistv5 – Published: 2026-01-28 15:33 – Updated: 2026-01-28 16:46

Title

x86: buffer overrun with shadow paging + tracing

Summary

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-477.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-477

Credits

This issue was discovered by Jan Beulich of SUSE.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:11:53.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/27/1"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-477.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58150",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T16:44:38.812623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:46:04.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-477"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Only x86 systems are vulnerable.  Arm systems are not vulnerable.\n\nOnly HVM guests running in shadow paging mode and with tracing enabled\ncan leverage the vulnerability."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Jan Beulich of SUSE."
        }
      ],
      "datePublic": "2026-01-27T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing.  Some of these variables are written to\nwith guest controlled data, of guest controllable size.  That size can\nbe larger than the variable, and bounding of the writes was missing."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "The exact effects depend on what\u0027s adjacent to the variables in\nquestion.  The most likely effects are bogus trace data, but none of\nprivilege escalation, information leaks, or Denial of Service (DoS) can\nbe excluded without detailed analysis of the particular build of Xen."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T15:33:17.316Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-477.html"
        }
      ],
      "title": "x86: buffer overrun with shadow paging + tracing",
      "workarounds": [
        {
          "lang": "en",
          "value": "Running HVM guests in HAP mode only will avoid the vulnerability.\n\nNot enabling tracing will also avoid the vulnerability.  Tracing is\nenabled by the \"tbuf_size=\" command line option, or by running tools\nlike xentrace or xenbaked in Dom0.  Note that on a running system\nstopping xentrace / xenbaked would disable tracing.  For xentrace,\nhowever, this additionally requires that it wasn\u0027t started with the -x\noption.  Stopping previously enabled tracing can of course only prevent\nfuture damage; prior damage may have occurred and may manifest only\nlater."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-58150",
    "datePublished": "2026-01-28T15:33:17.316Z",
    "dateReserved": "2025-08-26T06:48:41.444Z",
    "dateUpdated": "2026-01-28T16:46:04.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58143 (GCVE-0-2025-58143)

Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13

Title

Mutiple vulnerabilities in the Viridian interface

Summary

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-366 - Race Condition within a Thread

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-472.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-472

Credits

This issue was discovered by Roger Pau Monné of XenServer.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58143",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-11T14:21:09.042615Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-366",
                "description": "CWE-366 Race Condition within a Thread",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-11T14:41:56.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:24.914Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://xenbits.xen.org/xsa/advisory-472.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-472"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions 4.13 and newer are vulnerable.  Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
        }
      ],
      "datePublic": "2025-09-09T11:53:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T14:05:29.729Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
        }
      ],
      "title": "Mutiple vulnerabilities in the Viridian interface",
      "workarounds": [
        {
          "lang": "en",
          "value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-58143",
    "datePublished": "2025-09-11T14:05:29.729Z",
    "dateReserved": "2025-08-26T06:48:41.443Z",
    "dateUpdated": "2025-11-04T21:13:24.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58149 (GCVE-0-2025-58149)

Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13

Title

Incorrect removal of permissions on PCI device unplug

Summary

When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-672 - Operation on a Resource after Expiration or Release

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-476.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-476

Credits

This issue was discovered by Jiqian Chen of AMD and diagnosed as a security issue by Roger Pau Monné of XenServer.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T14:24:29.854834Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-672",
                "description": "CWE-672 Operation on a Resource after Expiration or Release",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T14:24:43.755Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:31.524Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://xenbits.xen.org/xsa/advisory-476.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/24/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-476"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions 4.0 and newer are vulnerable.\n\nOnly PV guests with PCI passthrough devices can leverage the vulnerability.\n\nOnly domains whose PCI devices are managed by the libxl library are affected.\nThis includes the xl toolstack and xapi, which uses the xl toolstack when\ndealing with PCI devices.\n\nHVM guests are also affected, but accessing the leaked memory requires an\nadditional compromised component on the system."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Jiqian Chen of AMD and diagnosed as a\nsecurity issue by Roger Pau Monn\u00e9 of XenServer."
        }
      ],
      "datePublic": "2025-10-24T12:13:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "When passing through PCI devices, the detach logic in libxl won\u0027t remove\naccess permissions to any 64bit memory BARs the device might have.  As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables.  For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "A buggy or malicious PV guest can access memory of PCI devices no longer\nassigned to it."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-31T11:50:39.536Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-476.html"
        }
      ],
      "title": "Incorrect removal of permissions on PCI device unplug",
      "workarounds": [
        {
          "lang": "en",
          "value": "Not doing hot unplug of PCI devices will avoid the vulnerability.\n\nPassing through PCI devices to HVM domains only will also limit the impact, as\nan attacker would require another compromised component to exploit it."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-58149",
    "datePublished": "2025-10-31T11:50:39.536Z",
    "dateReserved": "2025-08-26T06:48:41.443Z",
    "dateUpdated": "2025-11-04T21:13:31.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:0303-1

CVE-2025-27466 (GCVE-0-2025-27466)

CVE-2026-23553 (GCVE-0-2026-23553)

CVE-2025-58142 (GCVE-0-2025-58142)

CVE-2025-58150 (GCVE-0-2025-58150)

CVE-2025-58143 (GCVE-0-2025-58143)

CVE-2025-58149 (GCVE-0-2025-58149)

Tags

Sightings

Nomenclature