Debian Xen vulnerabilities

CVE-2026-23554 [HIGH] CVE-2026-23554: xen - The Intel EPT paging code uses an optimization to defer flushing of any cached E... The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such s

CVE-2026-23553 [LOW] CVE-2026-23553: xen - In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU r... In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On

CVE-2026-23555 [HIGH] CVE-2026-23555: xen - Any guest issuing a Xenstore command accessing a node using the (illegal) node p... Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access

CVE-2025-58143 [CRITICAL] CVE-2025-58143: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by a

CVE-2025-58142 [CRITICAL] CVE-2025-58142: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by a

CVE-2025-27466 [CRITICAL] CVE-2025-27466: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by a

CVE-2025-58148 [HIGH] CVE-2025-58148: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147.

CVE-2025-1713 [HIGH] CVE-2025-1713: xen - When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X... When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. Scope: local bookworm: resolved (fixed in 4.17.5+72-g01140da4e8-1) bullseye: open forky: resolved (f

CVE-2025-58147 [HIGH] CVE-2025-58147: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147.

CVE-2025-58149 [HIGH] CVE-2025-58149: xen - When passing through PCI devices, the detach logic in libxl won't remove access ... When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would

CVE-2025-58145 [HIGH] CVE-2025-58145: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144.

CVE-2025-58150 [HIGH] CVE-2025-58150: xen - Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome par... Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 4.20.2+37-g61ff35323e-1) sid:

CVE-2025-58144 [HIGH] CVE-2025-58144: xen - [This CNA information record relates to multiple CVEs; the text explains which a... [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144.

CVE-2025-27465 [MEDIUM] CVE-2025-27465: xen - Certain instructions need intercepting and emulating by Xen. In some cases Xen ... Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions

CVE-2024-45817 [HIGH] CVE-2024-45817: xen - In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error c... In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse throug

CVE-2024-31145 [HIGH] CVE-2024-31145: xen - Certain PCI devices in a system might be assigned Reserved Memory Regions (speci... Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the ma

CVE-2024-31143 [HIGH] CVE-2024-31143: xen - An optional feature of PCI MSI called "Multiple Message" allows a device to use ... An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even w

CVE-2024-31146 [HIGH] CVE-2024-31146: xen - When multiple devices share resources and one of them is to be passed through to... When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sh

CVE-2024-31142 [HIGH] CVE-2024-31142: xen - Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is... Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html Scope: local bookworm: re

CVE-2024-36350 [MEDIUM] CVE-2024-36350: amd64-microcode - A transient execution vulnerability in some AMD processors may allow an attacker... A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 3.20251202.1) sid: resolved (fixed in 3.20251202.1) trixie: open