-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2025-27466,CVE-2025-58142,CVE-2025-58143 / XSA-472 version 2 Mutiple vulnerabilities in the Viridian interface UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. IMPACT ====== Denial of Service (DoS) affecting the entire host, information leaks, or elevation of privilege. VULNERABLE SYSTEMS ================== Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older are not vulnerable. Only x86 HVM guests which have the reference_tsc or stimer viridian extensions enabled are vulnerable. MITIGATION ========== Not enabling the reference_tsc and stimer viridian extensions will avoid the issues. CREDITS ======= This issue was discovered by Roger Pau Monné of XenServer. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa472-?.patch xen-unstable - Xen 4.17.x $ sha256sum xsa472* 16e14b3cc87800c08d96adc18e66aa4a20a77834af12b9cdd01d739882f07b7d xsa472-1.patch 4be6a1066fbec367e8c9883240cec2a78671d484928d51ac5fb82e2c539e38ca xsa472-2.patch 9e1972a2b5a7a817b25cad0fa80c983198bb73a2788a4d0b5cdcaca4518a57cf xsa472-3.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches (but not mitigations) described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. This is because the mitigations are guest visible changes, and hence could give hints to users about the upcoming vulnerabilities. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmjAFT8MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZGV8H+QEb73eX4Nf/BSKpeLxzO5vpieWv9vFX83Tq9/LH KFQKbz4Y13XjtrxEpQhnZCYBEjgByBECrCnngaqjT8P3G17fhiEp2pMgMsU783mz TPtmdDcC63WGNyqB/7j3jxDLuCscPKKGjS+DHmcIbiV9H820EYQi83mWOGNwXRQP pYaMz5HSO15YypxKgK4i+piVceTS/fL0dclFU/vY13bq9sCqE/E4XRsClPgk1ryS LqUBtXbQJfxSK9asMxd0BLozVsWNVgZ6e2XTWpPf/T5EBoOo+qhQ2XaRmGCyVi98 D5t8BJ0HV83Ptik37QlosjsRbtogPXpOiaPsFmB15WFlxk8= =/zd8 -----END PGP SIGNATURE-----