Search
Find a vulnerability
Search criteria
145 vulnerabilities
CVE-2026-42486 (GCVE-0-2026-42486)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:16 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:43.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:16:34.880Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42486",
"datePublished": "2026-07-09T15:16:34.880Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-07-10T03:55:43.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23562 (GCVE-0-2026-23562)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:15 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:42.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:15:24.093Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23562",
"datePublished": "2026-07-09T15:15:24.093Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-10T03:55:42.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23561 (GCVE-0-2026-23561)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:13 – Updated: 2026-07-10 03:55
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T03:55:44.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:13:50.370Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23561",
"datePublished": "2026-07-09T15:13:22.160Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-10T03:55:44.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23560 (GCVE-0-2026-23560)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:12 – Updated: 2026-07-09 16:08
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-28 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:08:07.196380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:08:13.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-28T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003eXAPI can configure different users with different roles, using Role\u003cbr\u003eBased Access Control. For more details, see:\u003cbr\u003e\u003cbr\u003e https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003cbr\u003e\u003cbr\u003eThe pool-admin role is fully privileged. Notably, users with this role\u003cbr\u003ecan also SSH into the host as root.\u003cbr\u003e\u003cbr\u003eThe other administrator roles are pool-operator, vm-power-admin and\u003cbr\u003evm-admin, each of which are authorised to configure and manage various\u003cbr\u003easpects of the system.\u003cbr\u003e\u003cbr\u003eSome settings are inadequately restricted, and can be set by a lower\u003cbr\u003eprivilege of administrator than expected.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\u003cbr\u003e turn arbitrary files in dom0 into VDIs (virtual disks) and give said\u003cbr\u003e disks to a VM they control. This is an arbitrary read and/or modify\u003cbr\u003e of files in dom0.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\u003cbr\u003e and mark a VM as a system domain. System domains are ignored and\u003cbr\u003e left running during certain other host/pool operations, and may be\u003cbr\u003e hidden from view in tooling.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\u003cbr\u003e and mark a VM as the storage domain for a particular host storage\u003cbr\u003e connection (PBD). Shutting down the VM can cause the PBD to be\u003cbr\u003e erroneously marked as unplugged when it is not.\u003cbr\u003e\u003cbr\u003e * CVE-2026-23562: Configuration of PCI passthrough is normally\u003cbr\u003e restricted to the pool-admin role. However one API was missing this\u003cbr\u003e check, allowing a vm-admin access to unintended host hardware.\u003cbr\u003e\u003cbr\u003e * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\u003cbr\u003e parameter, which should be restricted to the pool-admin role, as it\u003cbr\u003e can allow arbitrary dom0 file write."
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:12:00.013Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23560",
"datePublished": "2026-07-09T15:12:00.013Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:08:13.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23559 (GCVE-0-2026-23559)
Vulnerability from cvelistv5 – Published: 2026-07-09 15:09 – Updated: 2026-07-09 16:02
VLAI
EPSS
VEX
Title
Multiple RBAC issues in XAPI
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Date Public
2026-04-29 18:05
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:02:25.587757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:02:32.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2026-04-29T18:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n \u003ca href=\"https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\"\u003ehttps://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles\u003c/a\u003e\n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write.\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nXAPI can configure different users with different roles, using Role\nBased Access Control. For more details, see:\n\n https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles \n\nThe pool-admin role is fully privileged. Notably, users with this role\ncan also SSH into the host as root.\n\nThe other administrator roles are pool-operator, vm-power-admin and\nvm-admin, each of which are authorised to configure and manage various\naspects of the system.\n\nSome settings are inadequately restricted, and can be set by a lower\nprivilege of administrator than expected.\n\n * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and\n turn arbitrary files in dom0 into VDIs (virtual disks) and give said\n disks to a VM they control. This is an arbitrary read and/or modify\n of files in dom0.\n\n * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain\n and mark a VM as a system domain. System domains are ignored and\n left running during certain other host/pool operations, and may be\n hidden from view in tooling.\n\n * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain\n and mark a VM as the storage domain for a particular host storage\n connection (PBD). Shutting down the VM can cause the PBD to be\n erroneously marked as unplugged when it is not.\n\n * CVE-2026-23562: Configuration of PCI passthrough is normally\n restricted to the pool-admin role. However one API was missing this\n check, allowing a vm-admin access to unintended host hardware.\n\n * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial\n parameter, which should be restricted to the pool-admin role, as it\n can allow arbitrary dom0 file write."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:09:51.762Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-489.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple RBAC issues in XAPI",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23559",
"datePublished": "2026-07-09T15:09:51.762Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T16:02:32.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23556 (GCVE-0-2026-23556)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:48 – Updated: 2026-07-09 15:37
VLAI
EPSS
VEX
Title
oxenstored keeps quota related use counts across domain destruction
Summary
When oxenstored is tearing a domain down, the node data is cleaned up
but the usage counts are leaked.
When the domain ID is eventually reused, the new domain can create fewer
nodes before beeing deemed to be over quota.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper preservation of permissions
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | oxenstored |
Affected:
all
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:06:25.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/10"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-483.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:34:22.728700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:37:46.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "oxenstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrii Sultanov of Vates."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eWhen oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota.\u003c/pre\u003e"
}
],
"value": "When oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota."
}
],
"impacts": [
{
"capecId": "CAPEC-548",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-548 Contaminate Resource"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper preservation of permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:48:56.630Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-483.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "oxenstored keeps quota related use counts across domain destruction",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23556",
"datePublished": "2026-07-09T14:48:56.630Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-07-09T15:37:46.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58151 (GCVE-0-2025-58151)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:45 – Updated: 2026-07-09 15:41
VLAI
EPSS
VEX
Title
varstored: TOCTOU issues with mapped guest memory
Summary
varstored is a component of the Xapi toolstack handling UEFI Variables
for a VM. It has a communication path with OVMF inside the VM involving
mapping a buffer prepared by OVMF.
Within varstored, there were insufficient compiler barriers, creating
TOCTOU issues with data in the shared buffer.
The exact vulnerable behaviour depends on the code generated by the
compiler. In a build of varstored using default settings, the attacker
can control an index used in a jump table.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check time-of-use (TOCTOU) race condition
Assigner
References
Date Public
2026-01-27 13:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:05:08.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/2"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-478.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:40:36.292177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:41:25.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "varstored",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates."
}
],
"datePublic": "2026-01-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003evarstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM. It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler. In a build of varstored using default settings, the attacker\ncan control an index used in a jump table.\u003c/pre\u003e"
}
],
"value": "varstored is a component of the Xapi toolstack handling UEFI Variables\nfor a VM. It has a communication path with OVMF inside the VM involving\nmapping a buffer prepared by OVMF.\n\nWithin varstored, there were insufficient compiler barriers, creating\nTOCTOU issues with data in the shared buffer.\n\nThe exact vulnerable behaviour depends on the code generated by the\ncompiler. In a build of varstored using default settings, the attacker\ncan control an index used in a jump table."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check time-of-use (TOCTOU) race condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:45:16.531Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-478.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "varstored: TOCTOU issues with mapped guest memory",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58151",
"datePublished": "2026-07-09T14:45:16.531Z",
"dateReserved": "2025-08-26T06:48:41.444Z",
"dateUpdated": "2026-07-09T15:41:25.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58146 (GCVE-0-2025-58146)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:42 – Updated: 2026-07-09 16:07
VLAI
EPSS
VEX
Title
XAPI UTF-8 string handling
Summary
There are multiple issues.
1. Updates to the XAPI database sanitise input strings, but try
generating the notification using the unsanitised input. This
causes the database's event thread to terminate and cease further
processing.
2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI
uses libraries which conform to the stricter v3.1 of the Unicode
spec. This causes some strings to be accepted as valid UTF-8 by
XAPI, but rejected by other libraries in use. Notably, such strings
can be entered into the database, after which the database can no
longer be loaded.
3. There is no input sanitisation for Map/Set updates on objects in the
XAPI database.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper input validation
Assigner
References
Date Public
2025-09-09 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-09T15:04:54.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/3"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-474.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:07:50.376243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:07:56.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "XAPI",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Edwin T\u00f6r\u00f6k from XenServer."
}
],
"datePublic": "2025-09-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eThere are multiple issues.\n\n 1. Updates to the XAPI database sanitise input strings, but try\n generating the notification using the unsanitised input. This\n causes the database\u0027s event thread to terminate and cease further\n processing.\n\n 2. XAPI\u0027s UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI\n uses libraries which conform to the stricter v3.1 of the Unicode\n spec. This causes some strings to be accepted as valid UTF-8 by\n XAPI, but rejected by other libraries in use. Notably, such strings\n can be entered into the database, after which the database can no\n longer be loaded.\n\n 3. There is no input sanitisation for Map/Set updates on objects in the\n XAPI database.\u003c/pre\u003e"
}
],
"value": "There are multiple issues.\n\n 1. Updates to the XAPI database sanitise input strings, but try\n generating the notification using the unsanitised input. This\n causes the database\u0027s event thread to terminate and cease further\n processing.\n\n 2. XAPI\u0027s UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI\n uses libraries which conform to the stricter v3.1 of the Unicode\n spec. This causes some strings to be accepted as valid UTF-8 by\n XAPI, but rejected by other libraries in use. Notably, such strings\n can be entered into the database, after which the database can no\n longer be loaded.\n\n 3. There is no input sanitisation for Map/Set updates on objects in the\n XAPI database."
}
],
"impacts": [
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:42:22.690Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-474.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XAPI UTF-8 string handling",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58146",
"datePublished": "2026-07-09T14:42:22.690Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2026-07-09T16:07:56.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27464 (GCVE-0-2025-27464)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:35 – Updated: 2026-07-09 16:07
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:07:34.962961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:07:40.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:35:38.440Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27464",
"datePublished": "2026-07-09T14:35:38.440Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T16:07:40.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27463 (GCVE-0-2025-27463)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:29 – Updated: 2026-07-09 15:52
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Date Public
2025-05-27 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:51:32.481576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:52:14.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"datePublic": "2025-05-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:29:49.625Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27463",
"datePublished": "2026-07-09T14:29:49.625Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T15:52:14.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27462 (GCVE-0-2025-27462)
Vulnerability from cvelistv5 – Published: 2026-07-09 14:27 – Updated: 2026-07-09 16:06
VLAI
EPSS
VEX
Title
WinPVDrivers: Excessive permissions on user-exposed devices
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
The Windows PV drivers expose various facilities to userspace. Several
of these have no security descriptor, and are therefore fully accessible
to unprivileged users. These are:
1. XenCons, CVE-2025-27462
2. XenIface, CVE-2025-27463
3. XenBus, CVE-2025-27464
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect default permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Xen | Windows PV drivers |
Affected:
all
|
Date Public
2025-05-27 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T16:06:53.503103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:06:58.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Windows PV drivers",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Tu Dinh of Vates"
}
],
"datePublic": "2025-05-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\u003cbr\u003e\u003cpre\u003eThe Windows PV drivers expose various facilities to userspace. Several\nof these have no security descriptor, and are therefore fully accessible\nto unprivileged users. These are:\n\n 1. XenCons, CVE-2025-27462\n 2. XenIface, CVE-2025-27463\n 3. XenBus, CVE-2025-27464\u003c/pre\u003e"
}
],
"value": "[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]\n\n\nThe Windows PV drivers expose various facilities to userspace. Several\nof these have no security descriptor, and are therefore fully accessible\nto unprivileged users. These are:\n\n 1. XenCons, CVE-2025-27462\n 2. XenIface, CVE-2025-27463\n 3. XenBus, CVE-2025-27464"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect default permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:27:03.467Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-468.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WinPVDrivers: Excessive permissions on user-exposed devices",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27462",
"datePublished": "2026-07-09T14:27:03.467Z",
"dateReserved": "2025-02-26T09:16:54.461Z",
"dateUpdated": "2026-07-09T16:06:58.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42488 (GCVE-0-2026-42488)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:07
VLAI
EPSS
VEX
Title
x86: mismatched mapcache metadata
Summary
Some shadow paging errors paths will switch the page-tables without
updating the currently running vCPU reference. This causes a mismatch
between the loaded page-tables and the mapcache metadata which can lead
to corruption of the mapcache.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:02:17.385668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:03:20.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T15:07:35.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-494.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-494"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.15 and onwards are vulnerable. Any Xen version with the fix for\nXSA-438 applied is vulnerable.\n\nOnly x86 systems are vulnerable. Only 64-bit PV guests can leverage the\nvulnerability, and only when running in shadow mode. Shadow mode would\nbe in use when migrating guests or as a workaround for XSA-273 (L1TF)."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Some shadow paging errors paths will switch the page-tables without\nupdating the currently running vCPU reference. This causes a mismatch\nbetween the loaded page-tables and the mapcache metadata which can lead\nto corruption of the mapcache."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:23.838Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-494.html"
}
],
"title": "x86: mismatched mapcache metadata",
"workarounds": [
{
"lang": "en",
"value": "Running only HVM or PVH guests will avoid the vulnerability.\n\nRunning PV guests in the PV shim will also avoid the vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42488",
"datePublished": "2026-06-18T13:47:23.838Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-06-18T15:07:35.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42490 (GCVE-0-2026-42490)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:04
VLAI
EPSS
VEX
Title
domctl lock open to abuse
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
1 reference
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:04:47.308725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:04:50.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-492"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 3.3 onwards are vulnerable. Earlier versions use\na different locking operation, but may also be vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nTo create and manage guests, domctl operations are used by the control\ndomain, a possible Xenstore domain, or by a domain controlling a\nparticular guest. Some of these operations may not be executed in\nparallel, so a system-wide lock is used. The way that lock is acquired\nis, however, not providing any fairness. This is CVE-2026-42489.\n\nFurthermore, with XSM/Flask in use, the lock acquire will, for some\noperations, occur ahead of any permission checking. This is\nCVE-2026-42490."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A less privileged entity may stall an equally or more privileged entity,\npotentially leading to a Denial od Service (DoS) of up to the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:13.257Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-492.html"
}
],
"title": "domctl lock open to abuse",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42490",
"datePublished": "2026-06-18T13:47:13.257Z",
"dateReserved": "2026-04-27T14:20:24.139Z",
"dateUpdated": "2026-06-18T15:04:50.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42489 (GCVE-0-2026-42489)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:47 – Updated: 2026-06-18 15:04
VLAI
EPSS
VEX
Title
domctl lock open to abuse
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.
Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
1 reference
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:04:27.888372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:04:32.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-492"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 3.3 onwards are vulnerable. Earlier versions use\na different locking operation, but may also be vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nTo create and manage guests, domctl operations are used by the control\ndomain, a possible Xenstore domain, or by a domain controlling a\nparticular guest. Some of these operations may not be executed in\nparallel, so a system-wide lock is used. The way that lock is acquired\nis, however, not providing any fairness. This is CVE-2026-42489.\n\nFurthermore, with XSM/Flask in use, the lock acquire will, for some\noperations, occur ahead of any permission checking. This is\nCVE-2026-42490."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A less privileged entity may stall an equally or more privileged entity,\npotentially leading to a Denial od Service (DoS) of up to the entire\nhost."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:47:13.198Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-492.html"
}
],
"title": "domctl lock open to abuse",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42489",
"datePublished": "2026-06-18T13:47:13.198Z",
"dateReserved": "2026-04-27T14:20:24.139Z",
"dateUpdated": "2026-06-18T15:04:32.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42487 (GCVE-0-2026-42487)
Vulnerability from cvelistv5 – Published: 2026-06-18 13:46 – Updated: 2026-06-18 15:07
VLAI
EPSS
VEX
Title
x86 HVM I/O port list traversal
Summary
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
Severity
7.9 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Date Public
2026-06-09 12:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T14:35:06.701148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T14:35:11.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T15:07:31.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-491.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/09/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-491"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from at least 3.2 onwards are vulnerable. Earlier\nversions have not been inspected.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly entities controlling HVM guests can leverage the vulnerability.\nThese are device models running in either a stub domain or de-privileged\nin Dom0."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2026-06-09T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "HVM guest I/O port accesses are subject to either emulation or at least\ntranslation. Translations are managed by the device model (via\nXEN_DOMCTL_ioport_mapping), and hence the linked list used may changed\nat any time. Traversal of those lists (while handling guest I/O port\naccesses) therefore needs synchronizing with updates, which was missing\nso far."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A device model of a HVM guest can cause a hypervisor crash, causing a\nDenial of Service (DoS) of the entire host. Privilege escalation and\ninformation leaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:46:53.459Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-491.html"
}
],
"title": "x86 HVM I/O port list traversal",
"workarounds": [
{
"lang": "en",
"value": "Running only PV or PVH guests will avoid the vulnerability.\n\n(Switching from a device model stub domain or a de-privileged device\nmodel to a fully privileged Dom0 device model does NOT mitigate this\nvulnerability. Rather, it simply recategorises the vulnerability to\nhostile management code, regarding it \"as designed\"; thus it merely\nreclassifies these issues as \"not a bug\". The security of a Xen system\nusing stub domains is still better than with a qemu-dm running as a Dom0\nprocess. Users and vendors of stub qemu dm systems should not change\ntheir configuration to use a Dom0 qemu process.)"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-42487",
"datePublished": "2026-06-18T13:46:53.459Z",
"dateReserved": "2026-04-27T14:20:24.138Z",
"dateUpdated": "2026-06-18T15:07:31.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23558 (GCVE-0-2026-23558)
Vulnerability from cvelistv5 – Published: 2026-05-19 12:49 – Updated: 2026-05-20 03:55
VLAI
EPSS
VEX
Title
grant table v2 race in status page mapping
Summary
The adjustments made for XSA-379 as well as those subsequently becoming
XSA-387 still left a race window, when a HVM or PVH guest does a grant
table version change from v2 to v1 in parallel with mapping the status
page(s) via XENMEM_add_to_physmap. Some of the status pages may then be
freed while mappings of them would still be inserted into the guest's
secondary (P2M) page tables.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Date Public
2026-04-28 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-19T13:06:51.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/13"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-486.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T03:55:35.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-486"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and\nolder are not affected.\n\nOnly x86 HVM and PVH guests permitted to use grant table version 2\ninterfaces can leverage this vulnerability. x86 PV guests cannot\nleverage this vulnerability. On Arm, grant table v2 use is explicitly\nunsupported."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Claude Opus 4.6 and diagnosed as a security\nissue by Rafal Wojtczuk."
}
],
"datePublic": "2026-04-28T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The adjustments made for XSA-379 as well as those subsequently becoming\nXSA-387 still left a race window, when a HVM or PVH guest does a grant\ntable version change from v2 to v1 in parallel with mapping the status\npage(s) via XENMEM_add_to_physmap. Some of the status pages may then be\nfreed while mappings of them would still be inserted into the guest\u0027s\nsecondary (P2M) page tables."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, information leaks, and Denial of Service (DoS) up\nto affecting the entire host cannot be excluded."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:49:54.652Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-486.html"
}
],
"title": "grant table v2 race in status page mapping",
"workarounds": [
{
"lang": "en",
"value": "Using the \"gnttab=max-ver:1\" hypervisor command line option will avoid\nthe vulnerability.\n\nUsing the \"max_grant_version=1\" guest configuration option for HVM and PVH\nguests will also avoid the vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23558",
"datePublished": "2026-05-19T12:49:54.652Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-05-20T03:55:35.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23557 (GCVE-0-2026-23557)
Vulnerability from cvelistv5 – Published: 2026-05-19 12:49 – Updated: 2026-05-19 14:42
VLAI
EPSS
VEX
Title
Xenstored DoS via XS_RESET_WATCHES command
Summary
Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES
command within a transaction due to an assert() triggering.
In case xenstored was built with NDEBUG #defined nothing bad will
happen, as assert() is doing nothing in this case. Note that the
default is not to define NDEBUG for xenstored builds even in release
builds of Xen.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
Date Public
2026-04-28 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-19T13:06:41.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/11"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-484.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T14:42:12.994792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T14:42:45.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-484"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen systems from Xen 4.2 onwards are vulnerable. Systems up to\nXen 4.1 are not vulnerable.\n\nSystems using the C variant of xenstored or xenstore-stubdom built\nwithout NDEBUG are vulnerable. Systems using the OCaml variant of\nXenstore (oxenstored), or the C variant (xenstored or xenstore-stubdom)\nbuilt with NDEBUG defined are not vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Andrii Sultanov of Vates."
}
],
"datePublic": "2026-04-28T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES\ncommand within a transaction due to an assert() triggering.\n\nIn case xenstored was built with NDEBUG #defined nothing bad will\nhappen, as assert() is doing nothing in this case. Note that the\ndefault is not to define NDEBUG for xenstored builds even in release\nbuilds of Xen."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Any unprivileged domain can cause xenstored to crash, causing a\nDoS (denial of service) for any Xenstore action. This will result\nin an inability to perform further domain administration on the host."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:49:42.202Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-484.html"
}
],
"title": "Xenstored DoS via XS_RESET_WATCHES command",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation available."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23557",
"datePublished": "2026-05-19T12:49:42.202Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-05-19T14:42:45.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23555 (GCVE-0-2026-23555)
Vulnerability from cvelistv5 – Published: 2026-03-23 06:57 – Updated: 2026-03-23 14:14
VLAI
EPSS
VEX
Title
Xenstored DoS by unprivileged domain
Summary
Any guest issuing a Xenstore command accessing a node using the
(illegal) node path "/local/domain/", will crash xenstored due to a
clobbered error indicator in xenstored when verifying the node path.
Note that the crash is forced via a failing assert() statement in
xenstored. In case xenstored is being built with NDEBUG #defined,
an unprivileged guest trying to access the node path "/local/domain/"
will result in it no longer being serviced by xenstored, other guests
(including dom0) will still be serviced, but xenstored will use up
all cpu time it can get.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
Date Public
2026-03-17 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-23T07:32:28.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/17/7"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-481.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23555",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T14:11:41.150968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:14:02.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-481"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "All Xen systems from Xen 4.18 onwards are vulnerable. Systems up to\nXen 4.17 are not vulnerable.\n\nSystems using the C variant of xenstored are vulnerable. Systems using\nxenstore-stubdom or the OCaml variant of Xenstore (oxenstored) are not\nvulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Marek Marczykowski-G\u00f3reckiof\nInvisible Things Lab."
}
],
"datePublic": "2026-03-17T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Any guest issuing a Xenstore command accessing a node using the\n(illegal) node path \"/local/domain/\", will crash xenstored due to a\nclobbered error indicator in xenstored when verifying the node path.\n\nNote that the crash is forced via a failing assert() statement in\nxenstored. In case xenstored is being built with NDEBUG #defined,\nan unprivileged guest trying to access the node path \"/local/domain/\"\nwill result in it no longer being serviced by xenstored, other guests\n(including dom0) will still be serviced, but xenstored will use up\nall cpu time it can get."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Any unprivileged domain can cause xenstored to crash, causing a\nDoS (denial of service) for any Xenstore action. This will result\nin an inability to perform further domain administration on the host.\n\nIn case xenstored has been built with NDEBUG defined, an unprivileged\ndomain can force xenstored to be 100% busy, but without harming\nxenstored functionality for other guests otherwise."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T06:57:07.653Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-481.html"
}
],
"title": "Xenstored DoS by unprivileged domain",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation available."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23555",
"datePublished": "2026-03-23T06:57:07.653Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-03-23T14:14:02.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23554 (GCVE-0-2026-23554)
Vulnerability from cvelistv5 – Published: 2026-03-23 06:56 – Updated: 2026-03-23 14:19
VLAI
EPSS
VEX
Title
Use after free of paging structures in EPT
Summary
The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only issue a single flush.
Freeing of paging structures however is not deferred until the flushing is
done, and can result in freed pages transiently being present in cached state.
Such stale entries can point to memory ranges not owned by the guest, thus
allowing access to unintended memory regions.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
Date Public
2026-03-17 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-23T07:32:25.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-480.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T14:18:54.774466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:19:27.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-480"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen 4.17 and onwards are vulnerable. Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2026-03-17T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T06:56:52.344Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-480.html"
}
],
"title": "Use after free of paging structures in EPT",
"workarounds": [
{
"lang": "en",
"value": "There are no mitigations."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23554",
"datePublished": "2026-03-23T06:56:52.344Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-03-23T14:19:27.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23553 (GCVE-0-2026-23553)
Vulnerability from cvelistv5 – Published: 2026-01-28 15:33 – Updated: 2026-01-28 16:41
VLAI
EPSS
VEX
Title
x86: incomplete IBPB for vCPU isolation
Summary
In the context switch logic Xen attempts to skip an IBPB in the case of
a vCPU returning to a CPU on which it was the previous vCPU to run.
While safe for Xen's isolation between vCPUs, this prevents the guest
kernel correctly isolating between tasks. Consider:
1) vCPU runs on CPU A, running task 1.
2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.
3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.
4) vCPU moves back to CPU A. Xen skips IBPB again.
Now, task 2 is running on CPU A with task 1's training still in the BTB.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Date Public
2026-01-27 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-28T16:12:31.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/3"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-479.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:40:38.385640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:41:14.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-479"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions which had the XSA-254 fixes backported are vulnerable.\nUpstream, that is 4.6 and newer.\n\nOnly x86 systems are vulnerable. Arm systems are not vulerable.\n\nSystems vulnerable to SRSO (see XSA-434) with default settings use\nIBPB-on-entry to protect against SRSO. This is a rather more aggressive\nform of flushing than only on context switch, and is believed to be\nsufficient to avoid the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by David Kaplan of AMD."
}
],
"datePublic": "2026-01-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks. Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A. Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Guest processes may leverage information leaks to obtain information\nintended to be private to other entities in a guest."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:33:44.782Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-479.html"
}
],
"title": "x86: incomplete IBPB for vCPU isolation",
"workarounds": [
{
"lang": "en",
"value": "Using \"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\" on the Xen command line\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\nit is a large overhead."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2026-23553",
"datePublished": "2026-01-28T15:33:44.782Z",
"dateReserved": "2026-01-14T13:07:36.961Z",
"dateUpdated": "2026-01-28T16:41:14.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58150 (GCVE-0-2025-58150)
Vulnerability from cvelistv5 – Published: 2026-01-28 15:33 – Updated: 2026-01-28 16:46
VLAI
EPSS
VEX
Title
x86: buffer overrun with shadow paging + tracing
Summary
Shadow mode tracing code uses a set of per-CPU variables to avoid
cumbersome parameter passing. Some of these variables are written to
with guest controlled data, of guest controllable size. That size can
be larger than the variable, and bounding of the writes was missing.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Date Public
2026-01-27 12:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-28T16:11:53.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/27/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-477.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:44:38.812623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:46:04.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-477"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Only x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly HVM guests running in shadow paging mode and with tracing enabled\ncan leverage the vulnerability."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2026-01-27T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing. Some of these variables are written to\nwith guest controlled data, of guest controllable size. That size can\nbe larger than the variable, and bounding of the writes was missing."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The exact effects depend on what\u0027s adjacent to the variables in\nquestion. The most likely effects are bogus trace data, but none of\nprivilege escalation, information leaks, or Denial of Service (DoS) can\nbe excluded without detailed analysis of the particular build of Xen."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:33:17.316Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-477.html"
}
],
"title": "x86: buffer overrun with shadow paging + tracing",
"workarounds": [
{
"lang": "en",
"value": "Running HVM guests in HAP mode only will avoid the vulnerability.\n\nNot enabling tracing will also avoid the vulnerability. Tracing is\nenabled by the \"tbuf_size=\" command line option, or by running tools\nlike xentrace or xenbaked in Dom0. Note that on a running system\nstopping xentrace / xenbaked would disable tracing. For xentrace,\nhowever, this additionally requires that it wasn\u0027t started with the -x\noption. Stopping previously enabled tracing can of course only prevent\nfuture damage; prior damage may have occurred and may manifest only\nlater."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58150",
"datePublished": "2026-01-28T15:33:17.316Z",
"dateReserved": "2025-08-26T06:48:41.444Z",
"dateUpdated": "2026-01-28T16:46:04.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58149 (GCVE-0-2025-58149)
Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
Incorrect removal of permissions on PCI device unplug
Summary
When passing through PCI devices, the detach logic in libxl won't remove
access permissions to any 64bit memory BARs the device might have. As a
result a domain can still have access any 64bit memory BAR when such
device is no longer assigned to the domain.
For PV domains the permission leak allows the domain itself to map the memory
in the page-tables. For HVM it would require a compromised device model or
stubdomain to map the leaked memory into the HVM domain p2m.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
Date Public
2025-10-24 12:13
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:24:29.854834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:24:43.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:31.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-476.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/24/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-476"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.0 and newer are vulnerable.\n\nOnly PV guests with PCI passthrough devices can leverage the vulnerability.\n\nOnly domains whose PCI devices are managed by the libxl library are affected.\nThis includes the xl toolstack and xapi, which uses the xl toolstack when\ndealing with PCI devices.\n\nHVM guests are also affected, but accessing the leaked memory requires an\nadditional compromised component on the system."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jiqian Chen of AMD and diagnosed as a\nsecurity issue by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-10-24T12:13:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When passing through PCI devices, the detach logic in libxl won\u0027t remove\naccess permissions to any 64bit memory BARs the device might have. As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables. For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious PV guest can access memory of PCI devices no longer\nassigned to it."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:39.536Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-476.html"
}
],
"title": "Incorrect removal of permissions on PCI device unplug",
"workarounds": [
{
"lang": "en",
"value": "Not doing hot unplug of PCI devices will avoid the vulnerability.\n\nPassing through PCI devices to HVM domains only will also limit the impact, as\nan attacker would require another compromised component to exploit it."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58149",
"datePublished": "2025-10-31T11:50:39.536Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:31.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58148 (GCVE-0-2025-58148)
Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
x86: Incorrect input sanitisation in Viridian hypercalls
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.
* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.
* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Date Public
2025-10-21 11:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T14:25:18.838278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T14:25:21.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:30.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-475.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-475"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.15 and newer are vulnerable. Versions 4.14 and older are\nnot vulnerable.\n\nOnly x86 HVM guests which have Viridian enabled can leverage the\nvulnerability.\n\nWith the `xl` toolstack, this means any `viridian=` setting in the VM\u0027s\nconfiguration file.\n\nNote - despite:\n\n `viridian=[\"!hcall_remote_tlb_flush\", \"!hcall_ipi\", \"!ex_processor_masks\"]`\n\nbeing documented to turns off the relevant functionality, this\nconfiguration does not block the relevant hypercalls."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates"
}
],
"datePublic": "2025-10-21T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen\u0027s format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d-\u003evcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious guest can cause Denial of Service (DoS) affecting\nthe entire host, information leaks, or elevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:28.407Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-475.html"
}
],
"title": "x86: Incorrect input sanitisation in Viridian hypercalls",
"workarounds": [
{
"lang": "en",
"value": "Not enabling Viridian will avoid the issuse."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58148",
"datePublished": "2025-10-31T11:50:28.407Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:30.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58147 (GCVE-0-2025-58147)
Vulnerability from cvelistv5 – Published: 2025-10-31 11:50 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
x86: Incorrect input sanitisation in Viridian hypercalls
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.
* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.
* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Date Public
2025-10-21 11:59
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T17:45:24.503747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T17:45:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:28.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-475.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-475"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.15 and newer are vulnerable. Versions 4.14 and older are\nnot vulnerable.\n\nOnly x86 HVM guests which have Viridian enabled can leverage the\nvulnerability.\n\nWith the `xl` toolstack, this means any `viridian=` setting in the VM\u0027s\nconfiguration file.\n\nNote - despite:\n\n `viridian=[\"!hcall_remote_tlb_flush\", \"!hcall_ipi\", \"!ex_processor_masks\"]`\n\nbeing documented to turns off the relevant functionality, this\nconfiguration does not block the relevant hypercalls."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Teddy Astie of Vates"
}
],
"datePublic": "2025-10-21T11:59:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen\u0027s format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d-\u003evcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A buggy or malicious guest can cause Denial of Service (DoS) affecting\nthe entire host, information leaks, or elevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:50:28.282Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-475.html"
}
],
"title": "x86: Incorrect input sanitisation in Viridian hypercalls",
"workarounds": [
{
"lang": "en",
"value": "Not enabling Viridian will avoid the issuse."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58147",
"datePublished": "2025-10-31T11:50:28.282Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:28.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58145 (GCVE-0-2025-58145)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
Arm issues with page refcounting
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Date Public
2025-09-09 11:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:39:37.372975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:39:41.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:27.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-473.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-473"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected. x86 systems are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling. A NULL pointer de-reference could result on a release\nbuild. This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed). Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated. This is CVE-2025-58145."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host. Privilege escalation and information\nleaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:36.380Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
}
],
"title": "Arm issues with page refcounting",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58145",
"datePublished": "2025-09-11T14:05:36.380Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:27.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58144 (GCVE-0-2025-58144)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
Arm issues with page refcounting
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are two issues related to the mapping of pages belonging to other
domains: For one, an assertion is wrong there, where the case actually
needs handling. A NULL pointer de-reference could result on a release
build. This is CVE-2025-58144.
And then the P2M lock isn't held until a page reference was actually
obtained (or the attempt to do so has failed). Otherwise the page can
not only change type, but even ownership in between, thus allowing
domain boundaries to be violated. This is CVE-2025-58145.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Date Public
2025-09-09 11:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:18:50.824988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:38:26.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:26.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-473.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-473"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected. x86 systems are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling. A NULL pointer de-reference could result on a release\nbuild. This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed). Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated. This is CVE-2025-58145."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host. Privilege escalation and information\nleaks cannot be ruled out."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:36.284Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
}
],
"title": "Arm issues with page refcounting",
"workarounds": [
{
"lang": "en",
"value": "There is no known mitigation."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58144",
"datePublished": "2025-09-11T14:05:36.284Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:26.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58143 (GCVE-0-2025-58143)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
Mutiple vulnerabilities in the Viridian interface
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-366 - Race Condition within a Thread
Assigner
References
Date Public
2025-09-09 11:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:21:09.042615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-366",
"description": "CWE-366 Race Condition within a Thread",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:41:56.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:24.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.729Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58143",
"datePublished": "2025-09-11T14:05:29.729Z",
"dateReserved": "2025-08-26T06:48:41.443Z",
"dateUpdated": "2025-11-04T21:13:24.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58142 (GCVE-0-2025-58142)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI
EPSS
VEX
Title
Mutiple vulnerabilities in the Viridian interface
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference
Assigner
References
Date Public
2025-09-09 11:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:24:28.317871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-395",
"description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:41:07.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:23.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.649Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-58142",
"datePublished": "2025-09-11T14:05:29.649Z",
"dateReserved": "2025-08-26T06:48:41.442Z",
"dateUpdated": "2025-11-04T21:13:23.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27466 (GCVE-0-2025-27466)
Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:09
VLAI
EPSS
VEX
Title
Mutiple vulnerabilities in the Viridian interface
Summary
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference
Assigner
References
Date Public
2025-09-09 11:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-27466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T14:25:53.637084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-395",
"description": "CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:40:33.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:51.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://xenbits.xen.org/xsa/advisory-472.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-472"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
}
],
"datePublic": "2025-09-09T11:53:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n a synthetic timer message has to be delivered. This is\n CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n get Xen to free a page while still present in the guest physical to\n machine (p2m) page tables. This is CVE-2025-58143."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:05:29.525Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-472.html"
}
],
"title": "Mutiple vulnerabilities in the Viridian interface",
"workarounds": [
{
"lang": "en",
"value": "Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-27466",
"datePublished": "2025-09-11T14:05:29.525Z",
"dateReserved": "2025-02-26T09:16:54.462Z",
"dateUpdated": "2025-11-04T21:09:51.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1713 (GCVE-0-2025-1713)
Vulnerability from cvelistv5 – Published: 2025-07-17 13:59 – Updated: 2025-07-17 14:21
VLAI
EPSS
VEX
Title
deadlock potential with VT-d and legacy PCI device pass-through
Summary
When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe. This can lead to a deadlock.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-833 - Deadlock
Assigner
References
Date Public
2025-02-27 12:52
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-07-17T14:04:25.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/1"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-467.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/27/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/28/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-1713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T14:17:20.052947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-833",
"description": "CWE-833 Deadlock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:21:42.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-467"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Xen versions 4.0 and later are affected. Xen versions 3.4 and earlier\nare not directly affected, but had other issues.\n\nSystems with Intel IOMMU hardware (VT-d) are affected. Systems using\nAMD or non-x86 hardware are not affected.\n\nOnly systems where certain kinds of devices are passed through to an\nunprivileged guest are vulnerable."
}
],
"datePublic": "2025-02-27T12:52:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When setting up interrupt remapping for legacy PCI(-X) devices,\nincluding PCI(-X) bridges, a lookup of the upstream bridge is required.\nThis lookup, itself involving acquiring of a lock, is done in a context\nwhere acquiring that lock is unsafe. This can lead to a deadlock."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "The passing through of certain kinds of devices to an unprivileged guest\ncan result in a Denial of Service (DoS) affecting the entire host.\n\nNote: Normal usage of such devices by a privileged domain can also\n trigger the issue. In such a scenario, the deadlock is not\n considered a security issue, but just a plain bug."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T13:59:46.231Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-467.html"
}
],
"title": "deadlock potential with VT-d and legacy PCI device pass-through",
"workarounds": [
{
"lang": "en",
"value": "Avoiding the passing through of the affected device types will avoid\nthe vulnerability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2025-1713",
"datePublished": "2025-07-17T13:59:46.231Z",
"dateReserved": "2025-02-26T09:04:42.837Z",
"dateUpdated": "2025-07-17T14:21:42.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}