Information

AdvisoryXSA-478
Public release 2026-01-27 12:00
Updated 2026-01-27 12:00
Version 2
CVE(s) CVE-2025-58151
Title varstored: TOCTOU issues with mapped guest memory

Files

advisory-478.txt (signed advisory file)
xsa478.patch

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2025-58151 / XSA-478
                               version 2

           varstored: TOCTOU issues with mapped guest memory

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

varstored is a component of the Xapi toolstack handling UEFI Variables
for a VM.  It has a communication path with OVMF inside the VM involving
mapping a buffer prepared by OVMF.

Within varstored, there were insufficient compiler barriers, creating
TOCTOU issues with data in the shared buffer.

The exact vulnerable behaviour depends on the code generated by the
compiler.  In a build of varstored using default settings, the attacker
can control an index used in a jump table.

IMPACT
======

An attacker with kernel level access in a VM can escalate privilege via
gaining code execution within varstored.

VULNERABLE SYSTEMS
==================

Only systems using the Xapi toolstack are potentially affected.

Systems running all versions of varstored are potentially affected.

x86 HVM guests which have been configured as UEFI VMs can leverage the
vulnerability.  x86 PV guests cannot leverage the vulnerability.

A Xapi VM is configured for UEFI if the `HVM-boot-params` map contains
`firmware=uefi`.  e.g.:

  xe vm-param-list uuid=$UUID

  ...
  HVM-boot-params (MRW): firmware: uefi
  ...

If `firmware` is set to `bios`, or is absent entirely (PV guests), then
the guest cannot leverage the vulnerability.

MITIGATION
==========

There are no mitigations.

CREDITS
=======

This issue was discovered by Teddy Astie of Vates.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa478.patch           varstored master

$ sha256sum xsa478*
401679429e22e202fecf418c5100144ea0ee1cca3643f09960107cf3d88821db  xsa478.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAml4qMEMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZp94IAKAafDWRsyB3vmmHsGG2cF3I1LFKQMzhtogNUu/w
7QrhNwmyI9tdIhtlPk4JC75L1Em+kDXHh+vNkQF97QeKq2IyuEYt+q2ko6sV/RTF
Ewv0BhJJIiJCfyI/x55dz+YANOwsSOo7bZrSy1l/VgUJOdVKK5L1VtcloD57ZX2D
A4r/rfZbJwx/vJ+Zp8R+W0on7SWS6h4am6M0+7f2swiJ2MpoEUwhSgFMmigOcdUc
xbUo/IKOiQVNX2A6j+J5tQT6JlrXC/K8bIUwe2oDKRPG1qSMYAr2lKZ4GvoflUra
ckCA0k520KHw+ZfuHhQq/TzIFaLVDnr1kfChYdPSX0jXtb0=
=B9ua
-----END PGP SIGNATURE-----
Xenproject.org Security Team