-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2025-54518 / XSA-490

                   x86: CPU Opcode Cache corruption

ISSUE DESCRIPTION
=================

AMD have disclosed a potential vulnerability in certain CPUs which can
cause instructions to execute at a higher privilege.

For more information, see:
  https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html

IMPACT
======

Code of any privilege could escalate to a higher privilege, including
userspace to kernel, and guest to host.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only AMD Fam17h CPUs (Zen2 microarchitecture) are believed to be
vulnerable.  Other AMD CPUs and CPUs from other manufacturers are not
known to be affected.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

For Xen 4.17, patch 1 is a backport of a change which only went back as
far as 4.18 under normal bugfix rules, but which is tightly texturally
coupled with the XSA-940 fix.  It is possible to rework patch 2 to avoid
patch 1, but a number of Xen-focused downstreams already have patch 1
backported, and those without patch 1 really ought to take it.  So,
while this is slightly abnormal for an XSA, it is believed to be in the
best interest of everyone with a 4.17 based Xen.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa490.patch           xen-unstable
xsa490-4.21.patch      Xen 4.21.x - Xen 4.18.x
xsa490-4.17-?.patch    Xen 4.17.x

$ sha256sum xsa490*
7c256d3384bf640d171ae2f18930c193a72bbdd92ebeb8942e58634dd7b27439  xsa490.patch
4d64d95937630f2147bb69d0d0ff24fc7d97efd48e376d882265662f93886ec7  xsa490-4.17-1.patch
6c717a5bd914088463c74b89893672388848a2222165478aed63b6c2a4151e28  xsa490-4.17-2.patch
1e397550a542bc0957bf93a6e6f01ffcdfe8f005697a505c62ec6120a72d3f90  xsa490-4.21.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmoDTuQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZn38H/2xujQ3YDEsE2U8RiH/6M1yVxnATlCEqEPBxIcVX
h6W4QMzlFw/IXZBi6twduuzMME2uX6eKWCbE9riw2v4lybgNYMxV20oW86LhjLwr
uL1NHJ3Fop1IuRy+po20jmT9sPfpieHU9zGmFvgd/k91gSZ1b/5G8k36MtgODL0j
4Svsdo3LYSvULQn5EymjO/t57ZZIDBWj5Od7aBbPuGkQKtW6+/UCE0JnrzOtP+Di
0Y5bBSUhwrMh0h32AV/w2nwvFQN/EeyakfjDWQc1ST6wHzFMLSo2kaY40TZ6C+T8
RnN646ouPizmiSDu2G/dMrLJ5kc3PFqQvN3JRI4dyf075yg=
=Dclq
-----END PGP SIGNATURE-----