From xen-announce-bounces@lists.xenproject.org Tue Jan 27 12:01:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 27 Jan 2026 12:01:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1214314.1524701 (Exim 4.92) (envelope-from ) id 1vkhkc-0006Wb-Up; Tue, 27 Jan 2026 12:00:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1214314.1524701; Tue, 27 Jan 2026 12:00:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vkhkc-0006W9-QV; Tue, 27 Jan 2026 12:00:54 +0000 Received: by outflank-mailman (input) for mailman id 1214314; Tue, 27 Jan 2026 12:00:54 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vkhkb-0006UG-VV for xen-announce@lists.xen.org; Tue, 27 Jan 2026 12:00:54 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id d038a54a-fb77-11f0-9ccf-f158ae23cfc8; Tue, 27 Jan 2026 13:00:49 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1vkhkP-006Azr-0a; Tue, 27 Jan 2026 12:00:40 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1vkhkO-004FP2-2a; Tue, 27 Jan 2026 12:00:40 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: d038a54a-fb77-11f0-9ccf-f158ae23cfc8 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 477 v2 (CVE-2025-58150) - x86: buffer overrun with shadow paging + tracing Message-Id: Date: Tue, 27 Jan 2026 12:00:40 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2025-58150 / XSA-477 version 2 x86: buffer overrun with shadow paging + tracing UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. IMPACT ====== The exact effects depend on what's adjacent to the variables in question. The most likely effects are bogus trace data, but none of privilege escalation, information leaks, or Denial of Service (DoS) can be excluded without detailed analysis of the particular build of Xen. VULNERABLE SYSTEMS ================== Only x86 systems are vulnerable. Arm systems are not vulnerable. Only HVM guests running in shadow paging mode and with tracing enabled can leverage the vulnerability. MITIGATION ========== Running HVM guests in HAP mode only will avoid the vulnerability. Not enabling tracing will also avoid the vulnerability. Tracing is enabled by the "tbuf_size=" command line option, or by running tools like xentrace or xenbaked in Dom0. Note that on a running system stopping xentrace / xenbaked would disable tracing. For xentrace, however, this additionally requires that it wasn't started with the -x option. Stopping previously enabled tracing can of course only prevent future damage; prior damage may have occurred and may manifest only later. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa477.patch xen-unstable - Xen 4.19.x xsa477-4.18.patch Xen 4.18.x $ sha256sum xsa477* 025783441d7db846e717a1e48547b0db7a36fcc6af652b688524c684f0c3d2a7 xsa477.patch 194da830e15195873456b145a8df83af43aaae7a82fa6cb6852928d75c68909c xsa477-4.18.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAml4qLYMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ+IkH/jgVtAAifglnIrxstdAUXMritwnXvcrIJaKjG7yj 8980GavdbttObFRL+d2XvPXAQLRWCbgMNgNFA9s/6EhH2cCMF9mmeYxxU9zqG9qi MQyfp1v/UpNrvD4hdHIXhohMELF6IdXQkrRvnB0hJwSPsDEzMZyofTOKppmSqSE1 tIdFXD1R845KTl9eG1lX4uwr2KhAjAgk4DrpIvxmtkiz3yF8kznjAGDSA7luKkTU XBSlBe9u/9Yg5cspQrh7tVQ0K+6wDR6f4bCq26P/VCDUjwRIzHDhdP+RzKaumLGn nTU0aAuIBlXYCa+8HB5c9vf/yLldKflYZ4Qmb3jGD4GYZrQ= =nlvD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa477.patch" Content-Disposition: attachment; filename="xsa477.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBkb24ndCBvdmVycnVuIHRyYWNlX2VtdWxfd3JpdGVf dmFsCgpHdWVzdHMgY2FuIGRvIHdpZGVyLXRoYW4tUFRFLXNpemUgd3JpdGVz IG9uIHBhZ2UgdGFibGVzLiBUaGUgdHJhY2luZwpoZWxwZXIgdmFyaWFibGUs IGhvd2V2ZXIsIG9ubHkgb2ZmZXJzIHNwYWNlIGZvciBhIHNpbmdsZSBQVEUg KGFuZCBpdCBpcwpiZWluZyBzd2l0Y2hlZCB0byB0aGUgbW9yZSBjb3JyZWN0 IHR5cGUgcmlnaHQgaGVyZSkuIFRoZXJlZm9yZSBib3VuZAppbmNvbWluZyB3 cml0ZSBzaXplcyB0byB0aGUgYW1vdW50IG9mIHNwYWNlIGF2YWlsYWJsZS4K ClRvIG5vdCBsZWF2ZSBkZWFkIGNvZGUgKHdoaWNoIGlzIGEgTWlzcmEgY29u Y2VybiksIGRyb3AgdGhlIG5vdyB1bnVzZWQKZ3Vlc3RfcGFfdCBhcyB3ZWxs LgoKQWxzbyBtb3ZlIGFuZCBhZGp1c3QgR1VFU1RfUFRFX1NJWkU6IERlcml2 ZSBpdCByYXRoZXIgdGhhbiB1c2luZyBoYXJkLQpjb2RlZCBudW1iZXJzLCBh bmQgcHV0IGl0IGluIHRoZSBzb2xlIHNvdXJjZSBmaWxlIHdoZXJlIGl0J3Mg YWN0dWFsbHkKbmVlZGVkLiBUaGlzIHRoZW4gYWxzbyBhZGRyZXNzZXMgYSBN aXNyYSBydWxlIDIwLjkgKCJBbGwgaWRlbnRpZmllcnMKdXNlZCBpbiB0aGUg Y29udHJvbGxpbmcgZXhwcmVzc2lvbiBvZiAjaWYgb3IgI2VsaWYgcHJlcHJv Y2Vzc2luZwpkaXJlY3RpdmVzIHNoYWxsIGJlICNkZWZpbmUnZCBiZWZvcmUg ZXZhbHVhdGlvbiIpIHZpb2xhdGlvbjoKR1VFU1RfUEFHSU5HX0xFVkVMUyBp cyAjZGVmaW5lJ2Qgb25seSBpbiBtdWx0aS5jLgoKVGhpcyBpcyBYU0EtNDc3 IC8gQ1ZFLTIwMjUtNTgxNTAuCgpGaXhlczogOWE4NmFjMWFhM2QyICgieGVu dHJhY2UgNS83OiBBZGRpdGlvbmFsIHRyYWNpbmcgZm9yIHRoZSBzaGFkb3cg Y29kZSIpClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L211bHRpLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9tdWx0 aS5jCkBAIC0xOTcwLDE1ICsxOTcwLDE1IEBAIHN0YXRpYyB2b2lkIHNoX3By ZWZldGNoKHN0cnVjdCB2Y3B1ICp2LAogCiAjaWYgR1VFU1RfUEFHSU5HX0xF VkVMUyA9PSA0CiB0eXBlZGVmIHU2NCBndWVzdF92YV90OwotdHlwZWRlZiB1 NjQgZ3Vlc3RfcGFfdDsKICNlbGlmIEdVRVNUX1BBR0lOR19MRVZFTFMgPT0g MwogdHlwZWRlZiB1MzIgZ3Vlc3RfdmFfdDsKLXR5cGVkZWYgdTY0IGd1ZXN0 X3BhX3Q7CiAjZWxzZQogdHlwZWRlZiB1MzIgZ3Vlc3RfdmFfdDsKLXR5cGVk ZWYgdTMyIGd1ZXN0X3BhX3Q7CiAjZW5kaWYKIAorLyogU2l6ZSAoaW4gYnl0 ZXMpIG9mIGEgZ3Vlc3QgUFRFICovCisjZGVmaW5lIEdVRVNUX1BURV9TSVpF IHNpemVvZihndWVzdF9sMWVfdCkKKwogLyogU2hhZG93IHRyYWNlIGV2ZW50 IHdpdGggR1VFU1RfUEFHSU5HX0xFVkVMUyBmb2xkZWQgaW50byB0aGUgZXZl bnQgZmllbGQuICovCiBzdGF0aWMgdm9pZCBzaF90cmFjZSh1aW50MzJfdCBl dmVudCwgdW5zaWduZWQgaW50IGV4dHJhLCBjb25zdCB2b2lkICpleHRyYV9k YXRhKQogewpAQCAtMjA0OCwxMSArMjA0OCwxNCBAQCBzdGF0aWMgdm9pZCBf X21heWJlX3VudXNlZCBzaF90cmFjZV9nZm5fCiBzdGF0aWMgREVGSU5FX1BF Ul9DUFUoZ3Vlc3RfdmFfdCx0cmFjZV9lbXVsYXRlX2luaXRpYWxfdmEpOwog c3RhdGljIERFRklORV9QRVJfQ1BVKGludCx0cmFjZV9leHRyYV9lbXVsYXRp b25fY291bnQpOwogI2VuZGlmCi1zdGF0aWMgREVGSU5FX1BFUl9DUFUoZ3Vl c3RfcGFfdCx0cmFjZV9lbXVsYXRlX3dyaXRlX3ZhbCk7CitzdGF0aWMgREVG SU5FX1BFUl9DUFUoZ3Vlc3RfbDFlX3QsIHRyYWNlX2VtdWxhdGVfd3JpdGVf dmFsKTsKIAogc3RhdGljIHZvaWQgY2ZfY2hlY2sgdHJhY2VfZW11bGF0ZV93 cml0ZV92YWwoCiAgICAgY29uc3Qgdm9pZCAqcHRyLCB1bnNpZ25lZCBsb25n IHZhZGRyLCBjb25zdCB2b2lkICpzcmMsIHVuc2lnbmVkIGludCBieXRlcykK IHsKKyAgICBpZiAoIGJ5dGVzID4gc2l6ZW9mKHRoaXNfY3B1KHRyYWNlX2Vt dWxhdGVfd3JpdGVfdmFsKSkgKQorICAgICAgICBieXRlcyA9IHNpemVvZih0 aGlzX2NwdSh0cmFjZV9lbXVsYXRlX3dyaXRlX3ZhbCkpOworCiAjaWYgR1VF U1RfUEFHSU5HX0xFVkVMUyA9PSAzCiAgICAgaWYgKCB2YWRkciA9PSB0aGlz X2NwdSh0cmFjZV9lbXVsYXRlX2luaXRpYWxfdmEpICkKICAgICAgICAgbWVt Y3B5KCZ0aGlzX2NwdSh0cmFjZV9lbXVsYXRlX3dyaXRlX3ZhbCksIHNyYywg Ynl0ZXMpOwpAQCAtMjA3NywxMyArMjA4MCwxNiBAQCBzdGF0aWMgaW5saW5l IHZvaWQgc2hfdHJhY2VfZW11bGF0ZShndWVzCiAgICAgICAgICAgICAvKgog ICAgICAgICAgICAgICogRm9yIEdVRVNUX1BBR0lOR19MRVZFTFM9MyAoUEFF IHBhZ2luZyksIGd1ZXN0X2wxZSBpcyA2NCB3aGlsZQogICAgICAgICAgICAg ICogZ3Vlc3RfdmEgaXMgMzIuICBQdXQgaXQgZmlyc3QgdG8gYXZvaWQgcGFk ZGluZy4KKyAgICAgICAgICAgICAqCisgICAgICAgICAgICAgKiBOb3RlOiAu d3JpdGVfdmFsIGlzIGFuIGFyYml0cmFyeSBzZXQgb2Ygd3JpdHRlbiBieXRl cywgcG9zc2libHkKKyAgICAgICAgICAgICAqIG1pc2FsaWduZWQgYW5kIHBv c3NpYmx5IHNwYW5uaW5nIHRoZSBuZXh0IGdsMWUuCiAgICAgICAgICAgICAg Ki8KICAgICAgICAgICAgIGd1ZXN0X2wxZV90IGdsMWUsIHdyaXRlX3ZhbDsK ICAgICAgICAgICAgIGd1ZXN0X3ZhX3QgdmE7CiAgICAgICAgICAgICB1aW50 MzJfdCBmbGFnczoyOSwgZW11bGF0aW9uX2NvdW50OjM7CiAgICAgICAgIH0g ZCA9IHsKICAgICAgICAgICAgIC5nbDFlICAgICAgICAgICAgPSBnbDFlLAot ICAgICAgICAgICAgLndyaXRlX3ZhbC5sMSAgICA9IHRoaXNfY3B1KHRyYWNl X2VtdWxhdGVfd3JpdGVfdmFsKSwKKyAgICAgICAgICAgIC53cml0ZV92YWwg ICAgICAgPSB0aGlzX2NwdSh0cmFjZV9lbXVsYXRlX3dyaXRlX3ZhbCksCiAg ICAgICAgICAgICAudmEgICAgICAgICAgICAgID0gdmEsCiAjaWYgR1VFU1Rf UEFHSU5HX0xFVkVMUyA9PSAzCiAgICAgICAgICAgICAuZW11bGF0aW9uX2Nv dW50ID0gdGhpc19jcHUodHJhY2VfZXh0cmFfZW11bGF0aW9uX2NvdW50KSwK QEAgLTI2NzIsNyArMjY3Nyw3IEBAIHN0YXRpYyBpbnQgY2ZfY2hlY2sgc2hf cGFnZV9mYXVsdCgKICAgICBwYWdpbmdfdW5sb2NrKGQpOwogICAgIHB1dF9n Zm4oZCwgZ2ZuX3goZ2ZuKSk7CiAKLSAgICB0aGlzX2NwdSh0cmFjZV9lbXVs YXRlX3dyaXRlX3ZhbCkgPSAwOworICAgIHRoaXNfY3B1KHRyYWNlX2VtdWxh dGVfd3JpdGVfdmFsKSA9IChndWVzdF9sMWVfdCl7fTsKIAogI2lmIFNIQURP V19PUFRJTUlaQVRJT05TICYgU0hPUFRfRkFTVF9FTVVMQVRJT04KICBlYXJs eV9lbXVsYXRpb246Ci0tLSBhL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvcHJp dmF0ZS5oCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9zaGFkb3cvcHJpdmF0ZS5o CkBAIC0xMjAsMTQgKzEyMCw2IEBAIGVudW0gewogICAgIFRSQ0VfU0ZMQUdf T09TX0ZJWFVQX0VWSUNULAogfTsKIAotCi0vKiBTaXplIChpbiBieXRlcykg b2YgYSBndWVzdCBQVEUgKi8KLSNpZiBHVUVTVF9QQUdJTkdfTEVWRUxTID49 IDMKLSMgZGVmaW5lIEdVRVNUX1BURV9TSVpFIDgKLSNlbHNlCi0jIGRlZmlu ZSBHVUVTVF9QVEVfU0laRSA0Ci0jZW5kaWYKLQogLyoqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKgogICogQXVkaXRpbmcgcm91dGluZXMKICAq Lwo= --=separator Content-Type: application/octet-stream; name="xsa477-4.18.patch" Content-Disposition: attachment; filename="xsa477-4.18.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiB4ODYvc2hhZG93OiBkb24ndCBvdmVycnVuIHRyYWNlX2VtdWxfd3JpdGVf dmFsCgpHdWVzdHMgY2FuIGRvIHdpZGVyLXRoYW4tUFRFLXNpemUgd3JpdGVz IG9uIHBhZ2UgdGFibGVzLiBUaGUgdHJhY2luZwpoZWxwZXIgdmFyaWFibGUs IGhvd2V2ZXIsIG9ubHkgb2ZmZXJzIHNwYWNlIGZvciBhIHNpbmdsZSBQVEUg KGFuZCBpdCBpcwpiZWluZyBzd2l0Y2hlZCB0byB0aGUgbW9yZSBjb3JyZWN0 IHR5cGUgcmlnaHQgaGVyZSkuIFRoZXJlZm9yZSBib3VuZAppbmNvbWluZyB3 cml0ZSBzaXplcyB0byB0aGUgYW1vdW50IG9mIHNwYWNlIGF2YWlsYWJsZS4K ClRvIG5vdCBsZWF2ZSBkZWFkIGNvZGUgKHdoaWNoIGlzIGEgTWlzcmEgY29u Y2VybiksIGRyb3AgdGhlIG5vdyB1bnVzZWQKZ3Vlc3RfcGFfdCBhcyB3ZWxs LgoKQWxzbyBtb3ZlIGFuZCBhZGp1c3QgR1VFU1RfUFRFX1NJWkU6IERlcml2 ZSBpdCByYXRoZXIgdGhhbiB1c2luZyBoYXJkLQpjb2RlZCBudW1iZXJzLCBh bmQgcHV0IGl0IGluIHRoZSBzb2xlIHNvdXJjZSBmaWxlIHdoZXJlIGl0J3Mg YWN0dWFsbHkKbmVlZGVkLiBUaGlzIHRoZW4gYWxzbyBhZGRyZXNzZXMgYSBN aXNyYSBydWxlIDIwLjkgKCJBbGwgaWRlbnRpZmllcnMKdXNlZCBpbiB0aGUg Y29udHJvbGxpbmcgZXhwcmVzc2lvbiBvZiAjaWYgb3IgI2VsaWYgcHJlcHJv Y2Vzc2luZwpkaXJlY3RpdmVzIHNoYWxsIGJlICNkZWZpbmUnZCBiZWZvcmUg ZXZhbHVhdGlvbiIpIHZpb2xhdGlvbjoKR1VFU1RfUEFHSU5HX0xFVkVMUyBp cyAjZGVmaW5lJ2Qgb25seSBpbiBtdWx0aS5jLgoKVGhpcyBpcyBYU0EtNDc3 IC8gQ1ZFLTIwMjUtNTgxNTAuCgpGaXhlczogOWE4NmFjMWFhM2QyICgieGVu dHJhY2UgNS83OiBBZGRpdGlvbmFsIHRyYWNpbmcgZm9yIHRoZSBzaGFkb3cg Y29kZSIpClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBz dXNlLmNvbT4KUmV2aWV3ZWQtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5j b29wZXIzQGNpdHJpeC5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hh ZG93L211bHRpLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3NoYWRvdy9tdWx0 aS5jCkBAIC0xOTY1LDE1ICsxOTY1LDE1IEBAIHN0YXRpYyB2b2lkIHNoX3By ZWZldGNoKHN0cnVjdCB2Y3B1ICp2LAogCiAjaWYgR1VFU1RfUEFHSU5HX0xF VkVMUyA9PSA0CiB0eXBlZGVmIHU2NCBndWVzdF92YV90OwotdHlwZWRlZiB1 NjQgZ3Vlc3RfcGFfdDsKICNlbGlmIEdVRVNUX1BBR0lOR19MRVZFTFMgPT0g MwogdHlwZWRlZiB1MzIgZ3Vlc3RfdmFfdDsKLXR5cGVkZWYgdTY0IGd1ZXN0 X3BhX3Q7CiAjZWxzZQogdHlwZWRlZiB1MzIgZ3Vlc3RfdmFfdDsKLXR5cGVk ZWYgdTMyIGd1ZXN0X3BhX3Q7CiAjZW5kaWYKIAorLyogU2l6ZSAoaW4gYnl0 ZXMpIG9mIGEgZ3Vlc3QgUFRFICovCisjZGVmaW5lIEdVRVNUX1BURV9TSVpF IHNpemVvZihndWVzdF9sMWVfdCkKKwogc3RhdGljIGlubGluZSB2b2lkIHRy YWNlX3NoYWRvd19nZW4odTMyIGV2ZW50LCBndWVzdF92YV90IHZhKQogewog ICAgIGlmICggdGJfaW5pdF9kb25lICkKQEAgLTIwNjIsMTEgKzIwNjIsMTQg QEAgc3RhdGljIGlubGluZSB2b2lkIHRyYWNlX3NoYWRvd19lbXVsYXRlXwog c3RhdGljIERFRklORV9QRVJfQ1BVKGd1ZXN0X3ZhX3QsdHJhY2VfZW11bGF0 ZV9pbml0aWFsX3ZhKTsKIHN0YXRpYyBERUZJTkVfUEVSX0NQVShpbnQsdHJh Y2VfZXh0cmFfZW11bGF0aW9uX2NvdW50KTsKICNlbmRpZgotc3RhdGljIERF RklORV9QRVJfQ1BVKGd1ZXN0X3BhX3QsdHJhY2VfZW11bGF0ZV93cml0ZV92 YWwpOworc3RhdGljIERFRklORV9QRVJfQ1BVKGd1ZXN0X2wxZV90LCB0cmFj ZV9lbXVsYXRlX3dyaXRlX3ZhbCk7CiAKIHN0YXRpYyB2b2lkIGNmX2NoZWNr IHRyYWNlX2VtdWxhdGVfd3JpdGVfdmFsKAogICAgIGNvbnN0IHZvaWQgKnB0 ciwgdW5zaWduZWQgbG9uZyB2YWRkciwgY29uc3Qgdm9pZCAqc3JjLCB1bnNp Z25lZCBpbnQgYnl0ZXMpCiB7CisgICAgaWYgKCBieXRlcyA+IHNpemVvZih0 aGlzX2NwdSh0cmFjZV9lbXVsYXRlX3dyaXRlX3ZhbCkpICkKKyAgICAgICAg Ynl0ZXMgPSBzaXplb2YodGhpc19jcHUodHJhY2VfZW11bGF0ZV93cml0ZV92 YWwpKTsKKwogI2lmIEdVRVNUX1BBR0lOR19MRVZFTFMgPT0gMwogICAgIGlm ICggdmFkZHIgPT0gdGhpc19jcHUodHJhY2VfZW11bGF0ZV9pbml0aWFsX3Zh KSApCiAgICAgICAgIG1lbWNweSgmdGhpc19jcHUodHJhY2VfZW11bGF0ZV93 cml0ZV92YWwpLCBzcmMsIGJ5dGVzKTsKQEAgLTIwODgsOCArMjA5MSwxMyBA QCBzdGF0aWMgaW5saW5lIHZvaWQgdHJhY2Vfc2hhZG93X2VtdWxhdGUoCiAg ICAgaWYgKCB0Yl9pbml0X2RvbmUgKQogICAgIHsKICAgICAgICAgc3RydWN0 IF9fcGFja2VkIHsKLSAgICAgICAgICAgIC8qIGZvciBQQUUsIGd1ZXN0X2wx ZSBtYXkgYmUgNjQgd2hpbGUgZ3Vlc3RfdmEgbWF5IGJlIDMyOwotICAgICAg ICAgICAgICAgc28gcHV0IGl0IGZpcnN0IGZvciBhbGlnbm1lbnQgc2FrZS4g Ki8KKyAgICAgICAgICAgIC8qCisgICAgICAgICAgICAgKiBGb3IgR1VFU1Rf UEFHSU5HX0xFVkVMUz0zIChQQUUgcGFnaW5nKSwgZ3Vlc3RfbDFlIGlzIDY0 IHdoaWxlCisgICAgICAgICAgICAgKiBndWVzdF92YSBpcyAzMi4gIFB1dCBp dCBmaXJzdCB0byBhdm9pZCBwYWRkaW5nLgorICAgICAgICAgICAgICoKKyAg ICAgICAgICAgICAqIE5vdGU6IC53cml0ZV92YWwgaXMgYW4gYXJiaXRyYXJ5 IHNldCBvZiB3cml0dGVuIGJ5dGVzLCBwb3NzaWJseQorICAgICAgICAgICAg ICogbWlzYWxpZ25lZCBhbmQgcG9zc2libHkgc3Bhbm5pbmcgdGhlIG5leHQg Z2wxZS4KKyAgICAgICAgICAgICAqLwogICAgICAgICAgICAgZ3Vlc3RfbDFl X3QgZ2wxZSwgd3JpdGVfdmFsOwogICAgICAgICAgICAgZ3Vlc3RfdmFfdCB2 YTsKICAgICAgICAgICAgIHVpbnQzMl90IGZsYWdzOjI5LCBlbXVsYXRpb25f Y291bnQ6MzsKQEAgLTIwOTksNyArMjEwNyw3IEBAIHN0YXRpYyBpbmxpbmUg dm9pZCB0cmFjZV9zaGFkb3dfZW11bGF0ZSgKICAgICAgICAgZXZlbnQgPSBU UkNfU0hBRE9XX0VNVUxBVEUgfCAoKEdVRVNUX1BBR0lOR19MRVZFTFMtMik8 PDgpOwogCiAgICAgICAgIGQuZ2wxZSA9IGdsMWU7Ci0gICAgICAgIGQud3Jp dGVfdmFsLmwxID0gdGhpc19jcHUodHJhY2VfZW11bGF0ZV93cml0ZV92YWwp OworICAgICAgICBkLndyaXRlX3ZhbCA9IHRoaXNfY3B1KHRyYWNlX2VtdWxh dGVfd3JpdGVfdmFsKTsKICAgICAgICAgZC52YSA9IHZhOwogI2lmIEdVRVNU X1BBR0lOR19MRVZFTFMgPT0gMwogICAgICAgICBkLmVtdWxhdGlvbl9jb3Vu dCA9IHRoaXNfY3B1KHRyYWNlX2V4dHJhX2VtdWxhdGlvbl9jb3VudCk7CkBA IC0yNjgwLDcgKzI2ODgsNyBAQCBzdGF0aWMgaW50IGNmX2NoZWNrIHNoX3Bh Z2VfZmF1bHQoCiAgICAgcGFnaW5nX3VubG9jayhkKTsKICAgICBwdXRfZ2Zu KGQsIGdmbl94KGdmbikpOwogCi0gICAgdGhpc19jcHUodHJhY2VfZW11bGF0 ZV93cml0ZV92YWwpID0gMDsKKyAgICB0aGlzX2NwdSh0cmFjZV9lbXVsYXRl X3dyaXRlX3ZhbCkgPSAoZ3Vlc3RfbDFlX3Qpe307CiAKICNpZiBTSEFET1df T1BUSU1JWkFUSU9OUyAmIFNIT1BUX0ZBU1RfRU1VTEFUSU9OCiAgZWFybHlf ZW11bGF0aW9uOgotLS0gYS94ZW4vYXJjaC94ODYvbW0vc2hhZG93L3ByaXZh dGUuaAorKysgYi94ZW4vYXJjaC94ODYvbW0vc2hhZG93L3ByaXZhdGUuaApA QCAtMTIwLDE0ICsxMjAsNiBAQCBlbnVtIHsKICAgICBUUkNFX1NGTEFHX09P U19GSVhVUF9FVklDVCwKIH07CiAKLQotLyogU2l6ZSAoaW4gYnl0ZXMpIG9m IGEgZ3Vlc3QgUFRFICovCi0jaWYgR1VFU1RfUEFHSU5HX0xFVkVMUyA+PSAz Ci0jIGRlZmluZSBHVUVTVF9QVEVfU0laRSA4Ci0jZWxzZQotIyBkZWZpbmUg R1VFU1RfUFRFX1NJWkUgNAotI2VuZGlmCi0KIC8qKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioKICAqIEF1ZGl0aW5nIHJvdXRpbmVzCiAgKi8K --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Jan 27 12:01:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 27 Jan 2026 12:01:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1214317.1524733 (Exim 4.92) (envelope-from ) id 1vkhkf-0007FB-QX; Tue, 27 Jan 2026 12:00:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1214317.1524733; Tue, 27 Jan 2026 12:00:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vkhkf-0007DX-Ly; Tue, 27 Jan 2026 12:00:57 +0000 Received: by outflank-mailman (input) for mailman id 1214317; Tue, 27 Jan 2026 12:00:56 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vkhke-0006UG-Dy for xen-announce@lists.xen.org; Tue, 27 Jan 2026 12:00:56 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id d24a3a2c-fb77-11f0-9ccf-f158ae23cfc8; Tue, 27 Jan 2026 13:00:50 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1vkhkT-006B0B-2X; Tue, 27 Jan 2026 12:00:45 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1vkhkT-004FQb-1J; Tue, 27 Jan 2026 12:00:45 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: d24a3a2c-fb77-11f0-9ccf-f158ae23cfc8 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 478 v2 (CVE-2025-58151) - varstored: TOCTOU issues with mapped guest memory Message-Id: Date: Tue, 27 Jan 2026 12:00:45 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2025-58151 / XSA-478 version 2 varstored: TOCTOU issues with mapped guest memory UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table. IMPACT ====== An attacker with kernel level access in a VM can escalate privilege via gaining code execution within varstored. VULNERABLE SYSTEMS ================== Only systems using the Xapi toolstack are potentially affected. Systems running all versions of varstored are potentially affected. x86 HVM guests which have been configured as UEFI VMs can leverage the vulnerability. x86 PV guests cannot leverage the vulnerability. A Xapi VM is configured for UEFI if the `HVM-boot-params` map contains `firmware=uefi`. e.g.: xe vm-param-list uuid=$UUID ... HVM-boot-params (MRW): firmware: uefi ... If `firmware` is set to `bios`, or is absent entirely (PV guests), then the guest cannot leverage the vulnerability. MITIGATION ========== There are no mitigations. CREDITS ======= This issue was discovered by Teddy Astie of Vates. RESOLUTION ========== Applying the attached patch resolves this issue. xsa478.patch varstored master $ sha256sum xsa478* 401679429e22e202fecf418c5100144ea0ee1cca3643f09960107cf3d88821db xsa478.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAml4qMEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZp94IAKAafDWRsyB3vmmHsGG2cF3I1LFKQMzhtogNUu/w 7QrhNwmyI9tdIhtlPk4JC75L1Em+kDXHh+vNkQF97QeKq2IyuEYt+q2ko6sV/RTF Ewv0BhJJIiJCfyI/x55dz+YANOwsSOo7bZrSy1l/VgUJOdVKK5L1VtcloD57ZX2D A4r/rfZbJwx/vJ+Zp8R+W0on7SWS6h4am6M0+7f2swiJ2MpoEUwhSgFMmigOcdUc xbUo/IKOiQVNX2A6j+J5tQT6JlrXC/K8bIUwe2oDKRPG1qSMYAr2lKZ4GvoflUra ckCA0k520KHw+ZfuHhQq/TzIFaLVDnr1kfChYdPSX0jXtb0= =B9ua -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa478.patch" Content-Disposition: attachment; filename="xsa478.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogW1BBVENIXSBGaXggVE9DVE9VIGlzc3VlcyB3aXRoIG1h cHBlZCBndWVzdCBtZW1vcnkKCm1lbWNweSgpIGNhbiBiZSBvcHRpbWlzZWQg YnkgdGhlIGNvbXBpbGVyLCBsZWFkaW5nIHRvIFRPQ1RPVSBidWdzIHdpdGgg ZGF0YSBpbgpndWVzdCBtZW1vcnkuICBXaXRob3V0IHRoZXNlIGJhcnJpZXJz LCBkaXNwYXRjaF9jb21tYW5kKCkgY29tcGlsZXMgaW4gYSB3YXkKd2hpY2gg aXMgdnVsbmVyYWJsZSB0byBjb2RlIGluamVjdGlvbi4KClRoaXMgaXMgWFNB LTQ3OCAvIENWRS0yMDI1LTU4MTUxCgpSZXBvcnRlZC1ieTogVGVkZHkgQXN0 aWUgPHRlZGR5LmFzdGllQHZhdGVzLnRlY2g+ClNpZ25lZC1vZmYtYnk6IEFu ZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+ClJldmll d2VkLWJ5OiBGcmVkaWFubyBaaWdsaW8gPGZyZWRpYW5vLnppZ2xpb0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogUm9zcyBMYWdlcndhbGwgPHJvc3MubGFn ZXJ3YWxsQGNpdHJpeC5jb20+ClJldmlld2VkLWJ5OiBSb2dlciBQYXUgTW9u bsOpIDxyb2dlci5wYXVAY2l0cml4LmNvbT4KLS0tCiBpbmNsdWRlL3Nlcmlh bGl6ZS5oIHwgMTggKysrKysrKysrKysrKysrKysrCiAxIGZpbGUgY2hhbmdl ZCwgMTggaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBhL2luY2x1ZGUvc2Vy aWFsaXplLmggYi9pbmNsdWRlL3NlcmlhbGl6ZS5oCmluZGV4IDA0NDQxZWE4 YTM3Mi4uMTY2Nzg2OGZlYWI0IDEwMDY0NAotLS0gYS9pbmNsdWRlL3Nlcmlh bGl6ZS5oCisrKyBiL2luY2x1ZGUvc2VyaWFsaXplLmgKQEAgLTM1LDEyICsz NSwxNSBAQAogI2luY2x1ZGUgImVmaS5oIgogI2luY2x1ZGUgImhhbmRsZXIu aCIKIAorI2RlZmluZSBiYXJyaWVyKCkgYXNtIHZvbGF0aWxlICgiIiA6Ojog Im1lbW9yeSIpCisKIHN0YXRpYyBpbmxpbmUgZW51bSBjb21tYW5kX3QKIHVu c2VyaWFsaXplX2NvbW1hbmQodWludDhfdCAqKnB0cikKIHsKICAgICBVSU5U MzIgZGF0YTsKIAogICAgIG1lbWNweSgmZGF0YSwgKnB0ciwgc2l6ZW9mKGRh dGEpKTsKKyAgICBiYXJyaWVyKCk7CiAgICAgKnB0ciArPSBzaXplb2YgZGF0 YTsKIAogICAgIHJldHVybiAoZW51bSBjb21tYW5kX3QpZGF0YTsKQEAgLTUw LDkgKzUzLDExIEBAIHN0YXRpYyBpbmxpbmUgdm9pZAogc2VyaWFsaXplX2Rh dGEodWludDhfdCAqKnB0ciwgY29uc3QgdWludDhfdCAqZGF0YSwgVUlOVE4g ZGF0YV9sZW4pCiB7CiAgICAgbWVtY3B5KCpwdHIsICZkYXRhX2xlbiwgc2l6 ZW9mKGRhdGFfbGVuKSk7CisgICAgYmFycmllcigpOwogICAgICpwdHIgKz0g c2l6ZW9mIGRhdGFfbGVuOwogICAgIGlmIChkYXRhX2xlbikgewogICAgICAg ICBtZW1jcHkoKnB0ciwgZGF0YSwgZGF0YV9sZW4pOworICAgICAgICBiYXJy aWVyKCk7CiAgICAgICAgICpwdHIgKz0gZGF0YV9sZW47CiAgICAgfQogfQpA QCAtNjEsNiArNjYsNyBAQCBzdGF0aWMgaW5saW5lIHZvaWQKIHNlcmlhbGl6 ZV9yZXN1bHQodWludDhfdCAqKnB0ciwgRUZJX1NUQVRVUyBzdGF0dXMpCiB7 CiAgICAgbWVtY3B5KCpwdHIsICZzdGF0dXMsIHNpemVvZihzdGF0dXMpKTsK KyAgICBiYXJyaWVyKCk7CiAgICAgKnB0ciArPSBzaXplb2Ygc3RhdHVzOwog fQogCkBAIC02OCw2ICs3NCw3IEBAIHN0YXRpYyBpbmxpbmUgdm9pZAogc2Vy aWFsaXplX2d1aWQodWludDhfdCAqKnB0ciwgY29uc3QgRUZJX0dVSUQgKmd1 aWQpCiB7CiAgICAgbWVtY3B5KCpwdHIsIGd1aWQsIEdVSURfTEVOKTsKKyAg ICBiYXJyaWVyKCk7CiAgICAgKnB0ciArPSBHVUlEX0xFTjsKIH0KIApAQCAt NzUsNiArODIsNyBAQCBzdGF0aWMgaW5saW5lIHZvaWQKIHNlcmlhbGl6ZV90 aW1lc3RhbXAodWludDhfdCAqKnB0ciwgRUZJX1RJTUUgKnRpbWVzdGFtcCkK IHsKICAgICBtZW1jcHkoKnB0ciwgdGltZXN0YW1wLCBzaXplb2YoKnRpbWVz dGFtcCkpOworICAgIGJhcnJpZXIoKTsKICAgICAqcHRyICs9IHNpemVvZigq dGltZXN0YW1wKTsKIH0KIApAQCAtODIsNiArOTAsNyBAQCBzdGF0aWMgaW5s aW5lIHZvaWQKIHNlcmlhbGl6ZV91aW50bih1aW50OF90ICoqcHRyLCBVSU5U TiB2YXIpCiB7CiAgICAgbWVtY3B5KCpwdHIsICZ2YXIsIHNpemVvZih2YXIp KTsKKyAgICBiYXJyaWVyKCk7CiAgICAgKnB0ciArPSBzaXplb2YgdmFyOwog fQogCkBAIC04OSw2ICs5OCw3IEBAIHN0YXRpYyBpbmxpbmUgdm9pZAogc2Vy aWFsaXplX3VpbnQzMih1aW50OF90ICoqcHRyLCBVSU5UMzIgdmFyKQogewog ICAgIG1lbWNweSgqcHRyLCAmdmFyLCBzaXplb2YodmFyKSk7CisgICAgYmFy cmllcigpOwogICAgICpwdHIgKz0gc2l6ZW9mIHZhcjsKIH0KIApAQCAtOTYs NiArMTA2LDcgQEAgc3RhdGljIGlubGluZSB2b2lkCiBzZXJpYWxpemVfdWlu dDY0KHVpbnQ4X3QgKipwdHIsIFVJTlQ2NCB2YXIpCiB7CiAgICAgbWVtY3B5 KCpwdHIsICZ2YXIsIHNpemVvZih2YXIpKTsKKyAgICBiYXJyaWVyKCk7CiAg ICAgKnB0ciArPSBzaXplb2YgdmFyOwogfQogCkBAIC0xMDUsNiArMTE2LDcg QEAgdW5zZXJpYWxpemVfZGF0YSh1aW50OF90ICoqcHRyLCBVSU5UTiAqbGVu LCBVSU5UTiBsaW1pdCkKICAgICB1aW50OF90ICpkYXRhOwogCiAgICAgbWVt Y3B5KGxlbiwgKnB0ciwgc2l6ZW9mKCpsZW4pKTsKKyAgICBiYXJyaWVyKCk7 CiAgICAgKnB0ciArPSBzaXplb2YgKmxlbjsKIAogICAgIGlmICgqbGVuID4g bGltaXQgfHwgKmxlbiA9PSAwKQpAQCAtMTE1LDYgKzEyNyw3IEBAIHVuc2Vy aWFsaXplX2RhdGEodWludDhfdCAqKnB0ciwgVUlOVE4gKmxlbiwgVUlOVE4g bGltaXQpCiAgICAgICAgIHJldHVybiBOVUxMOwogCiAgICAgbWVtY3B5KGRh dGEsICpwdHIsICpsZW4pOworICAgIGJhcnJpZXIoKTsKICAgICAqcHRyICs9 ICpsZW47CiAKICAgICByZXR1cm4gZGF0YTsKQEAgLTEyNCw2ICsxMzcsNyBA QCBzdGF0aWMgaW5saW5lIHZvaWQKIHVuc2VyaWFsaXplX2RhdGFfaW5wbGFj ZSh1aW50OF90ICoqcHRyLCB1aW50OF90ICpidWYsIFVJTlROIGxlbikKIHsK ICAgICBtZW1jcHkoYnVmLCAqcHRyLCBsZW4pOworICAgIGJhcnJpZXIoKTsK ICAgICAqcHRyICs9IGxlbjsKIH0KIApAQCAtMTM3LDYgKzE1MSw3IEBAIHN0 YXRpYyBpbmxpbmUgdm9pZAogdW5zZXJpYWxpemVfdGltZXN0YW1wKHVpbnQ4 X3QgKipwdHIsIEVGSV9USU1FICp0aW1lc3RhbXApCiB7CiAgICAgbWVtY3B5 KHRpbWVzdGFtcCwgKnB0ciwgc2l6ZW9mKCp0aW1lc3RhbXApKTsKKyAgICBi YXJyaWVyKCk7CiAgICAgKnB0ciArPSBzaXplb2YoKnRpbWVzdGFtcCk7CiB9 CiAKQEAgLTE0Niw2ICsxNjEsNyBAQCB1bnNlcmlhbGl6ZV91aW50bih1aW50 OF90ICoqcHRyKQogICAgIFVJTlROIHJldDsKIAogICAgIG1lbWNweSgmcmV0 LCAqcHRyLCBzaXplb2YocmV0KSk7CisgICAgYmFycmllcigpOwogICAgICpw dHIgKz0gc2l6ZW9mIHJldDsKIAogICAgIHJldHVybiByZXQ7CkBAIC0xNTcs NiArMTczLDcgQEAgdW5zZXJpYWxpemVfYm9vbGVhbih1aW50OF90ICoqcHRy KQogICAgIEJPT0xFQU4gcmV0OwogCiAgICAgbWVtY3B5KCZyZXQsICpwdHIs IHNpemVvZihyZXQpKTsKKyAgICBiYXJyaWVyKCk7CiAgICAgKnB0ciArPSBz aXplb2YgcmV0OwogCiAgICAgcmV0dXJuIHJldDsKQEAgLTE2OCw2ICsxODUs NyBAQCB1bnNlcmlhbGl6ZV91aW50MzIodWludDhfdCAqKnB0cikKICAgICBV SU5UMzIgcmV0OwogCiAgICAgbWVtY3B5KCZyZXQsICpwdHIsIHNpemVvZihy ZXQpKTsKKyAgICBiYXJyaWVyKCk7CiAgICAgKnB0ciArPSBzaXplb2YgcmV0 OwogCiAgICAgcmV0dXJuIHJldDsKLS0gCjIuMzkuNQoK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Jan 27 12:01:12 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 27 Jan 2026 12:01:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1214322.1524791 (Exim 4.92) (envelope-from ) id 1vkhkk-00007p-DW; Tue, 27 Jan 2026 12:01:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1214322.1524791; Tue, 27 Jan 2026 12:01:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vkhkk-00005e-4C; Tue, 27 Jan 2026 12:01:02 +0000 Received: by outflank-mailman (input) for mailman id 1214322; Tue, 27 Jan 2026 12:01:01 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1vkhkj-0006UG-F2 for xen-announce@lists.xen.org; Tue, 27 Jan 2026 12:01:01 +0000 Received: from mail.xenproject.org (mail.xenproject.org [104.130.215.37]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id d39415e7-fb77-11f0-9ccf-f158ae23cfc8; Tue, 27 Jan 2026 13:00:52 +0100 (CET) Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1vkhkW-006B0V-31; Tue, 27 Jan 2026 12:00:48 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1vkhkW-004FRp-1q; Tue, 27 Jan 2026 12:00:48 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" X-Inumbo-ID: d39415e7-fb77-11f0-9ccf-f158ae23cfc8 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 479 v2 (CVE-2026-23553) - x86: incomplete IBPB for vCPU isolation Message-Id: Date: Tue, 27 Jan 2026 12:00:48 +0000 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23553 / XSA-479 version 2 x86: incomplete IBPB for vCPU isolation UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. IMPACT ====== Guest processes may leverage information leaks to obtain information intended to be private to other entities in a guest. VULNERABLE SYSTEMS ================== Xen versions which had the XSA-254 fixes backported are vulnerable. Upstream, that is 4.6 and newer. Only x86 systems are vulnerable. Arm systems are not vulerable. Systems vulnerable to SRSO (see XSA-434) with default settings use IBPB-on-entry to protect against SRSO. This is a rather more aggressive form of flushing than only on context switch, and is believed to be sufficient to avoid the vulnerability. MITIGATION ========== Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it is a large overhead. CREDITS ======= This issue was discovered by David Kaplan of AMD. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa479.patch xen-unstable - Xen 4.18.x $ sha256sum xsa479* 82369898d0287e69272d0d65fb0e6be5fd0106bda19cedb3c9f6e75688f6fb4b xsa479.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAml4qMMMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ4TgIAIObkH7IN/btMzEbjNp2aknZ+u2hgP2zu1j00Fwa dyEi7Bug9X73vmgzLUWjHDCmvF3uoPl01KIjfh12v7s8dERKaTTxD1fGPOKliziA rdZQJSICVTnrNex15aLONHxkJI3oVwo2JAXChBx1a4Zx9k7M6+Kv7o9xYlnQh27N he3fmMrxWMCtTjngDgz7YhRonIYvA92wpRVCNklUulx9+oLHXllS8IKyf1rZvNr2 k2suwC82YG/wG6/vVUxZp45BTt45UC6YtengVRcyq70o9h8y6deSof0MoSuAewj7 05Z9kXac7pvGJTMTz2dUnHeRelaVU2Ps736vQSGgyJdIJ/c= =jCcD -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa479.patch" Content-Disposition: attachment; filename="xsa479.patch" Content-Transfer-Encoding: base64 RnJvbTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIucGF1QGNpdHJpeC5jb20+ ClN1YmplY3Q6IHg4Ni9zcGVjLWN0cmw6IEZpeCBpbmNvbXBsZXRlIElCUEIg Zmx1c2hpbmcgZHVyaW5nIGNvbnRleHQgc3dpdGNoCgpUaGUgcHJldmlvdXMg bG9naWMgYXR0ZW1wdGVkIHRvIHNraXAgYW4gSUJQQiBpbiB0aGUgY2FzZSBv ZiB2Q1BVIHJldHVybmluZyB0bwphIENQVSBvbiB3aGljaCBpdCB3YXMgdGhl IHByZXZpb3VzIHZDUFUgdG8gcnVuLiAgV2hpbGUgc2FmZSBmb3IgWGVuJ3MK aXNvbGF0aW9uIGJldHdlZW4gdkNQVXMsIHRoaXMgcHJldmVudHMgdGhlIGd1 ZXN0IGtlcm5lbCBjb3JyZWN0bHkgaXNvbGF0aW9uCmJldHdlZW4gdGFza3Mu ICBDb25zaWRlcjoKCiAxKSB2Q1BVIHJ1bnMgb24gQ1BVIEEsIHJ1bm5pbmcg dGFzayAxLgogMikgdkNQVSBtb3ZlcyB0byBDUFUgQiwgaWRsZSBnZXRzIHNj aGVkdWxlZCBvbiBBLiAgWGVuIHNraXBzIElCUEIuCiAzKSBPbiBDUFUgQiwg Z3Vlc3Qga2VybmVsIHN3aXRjaGVzIGZyb20gdGFzayAxIHRvIDIsIGlzc3Vp bmcgSUJQQi4KIDQpIHZDUFUgbW92ZXMgYmFjayB0byBDUFUgQS4gIFhlbiBz a2lwcyBJQlBCIGFnYWluLgoKTm93LCB0YXNrIDIgaXMgcnVubmluZyBvbiBD UFUgQSB3aXRoIHRhc2sgMSdzIHRyYWluaW5nIHN0aWxsIGluIHRoZSBCVEIu CgpEbyB0aGUgZmx1c2ggdW5jb25kaXRpb25hbGx5IHdoZW4gc3dpdGNoaW5n IHRvIGEgdkNQVSBkaWZmZXJlbnQgdGhhbiB0aGUKaWRsZSBvbmUuICBOb3Rl IHRoZXJlJ3Mgbm8gbmVlZCB0byBleHBsaWNpdGx5IGdhdGUgdGhlIElCUEIg dG8gbmV4dCBkb21haW4KIT0gaWRsZSwgYXMgdGhlIGNvbnRleHQgd2hlcmUg dGhlIElCUEIgaXMgaXNzdWVkIGlzIHN1YmplY3QgdG8gdGhhdApjb25kaXRp b24gYWxyZWFkeSB1bmxlc3MgdGhlIHBDUFUgaXMgZ29pbmcgb2ZmbGluZSwg YXQgd2hpY2ggcG9pbnQgd2UgZG9uJ3QKcmVhbGx5IGNhcmUgdG8gaXNzdWUg YW4gZXh0cmEgSUJQQi4KCkFsc28gYWRkIGEgY29tbWVudCB3aXRoIHRoZSBy ZWFzb25pbmcgd2h5IHRoZSBJQlBCIG5lZWRzIHRvIGJlIGluCmNvbnRleHRf c3dpdGNoKCkgcmF0aGVyIHRoYW4gX19jb250ZXh0X3N3aXRjaCgpLgoKVGhp cyBpcyBYU0EtNDc5IC8gQ1ZFLTIwMjYtMjM1NTMuCgpGaXhlczogYTJlZDY0 M2VkNzgzICgieDg2L2N0eHQ6IElzc3VlIGEgc3BlY3VsYXRpb24gYmFycmll ciBiZXR3ZWVuIHZjcHUgY29udGV4dHMiKQpSZXBvcnRlZC1ieTogRGF2aWQg S2FwbGFuIDxkYXZpZC5rYXBsYW5AYW1kLmNvbT4KU2lnbmVkLW9mZi1ieTog Um9nZXIgUGF1IE1vbm7DqSA8cm9nZXIucGF1QGNpdHJpeC5jb20+ClJldmll d2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+Ci0tLQog eGVuL2FyY2gveDg2L2RvbWFpbi5jIHwgMzYgKysrKysrKysrLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwgOSBpbnNlcnRp b25zKCspLCAyNyBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS94ZW4vYXJj aC94ODYvZG9tYWluLmMgYi94ZW4vYXJjaC94ODYvZG9tYWluLmMKaW5kZXgg YzI5YTZiMGRlY2VlLi5jMWVkZWQzZWI2MDQgMTAwNjQ0Ci0tLSBhL3hlbi9h cmNoL3g4Ni9kb21haW4uYworKysgYi94ZW4vYXJjaC94ODYvZG9tYWluLmMK QEAgLTIxNzQsMzMgKzIxNzQsMTUgQEAgdm9pZCBjb250ZXh0X3N3aXRjaChz dHJ1Y3QgdmNwdSAqcHJldiwgc3RydWN0IHZjcHUgKm5leHQpCiAKICAgICAg ICAgY3R4dF9zd2l0Y2hfbGV2ZWxsaW5nKG5leHQpOwogCi0gICAgICAgIGlm ICggb3B0X2licGJfY3R4dF9zd2l0Y2ggJiYgIWlzX2lkbGVfZG9tYWluKG5l eHRkKSApCi0gICAgICAgIHsKLSAgICAgICAgICAgIHN0YXRpYyBERUZJTkVf UEVSX0NQVSh1bnNpZ25lZCBpbnQsIGxhc3QpOwotICAgICAgICAgICAgdW5z aWduZWQgaW50ICpsYXN0X2lkID0gJnRoaXNfY3B1KGxhc3QpOwotCi0gICAg ICAgICAgICAvKgotICAgICAgICAgICAgICogU3F1YXNoIHRoZSBkb21pZCBh bmQgdmNwdSBpZCB0b2dldGhlciBmb3IgY29tcGFyaXNvbgotICAgICAgICAg ICAgICogZWZmaWNpZW5jeS4gIFdlIGNvdWxkIGluIHByaW5jaXBsZSBzdGFz aCBhbmQgY29tcGFyZSB0aGUgc3RydWN0Ci0gICAgICAgICAgICAgKiB2Y3B1 IHBvaW50ZXIsIGJ1dCB0aGlzIHJpc2tzIGEgZmFsc2UgYWxpYXMgaWYgYSBk b21haW4gaGFzIGRpZWQKLSAgICAgICAgICAgICAqIGFuZCB0aGUgc2FtZSA0 ayBwYWdlIGdldHMgcmV1c2VkIGZvciBhIG5ldyB2Y3B1LgotICAgICAgICAg ICAgICovCi0gICAgICAgICAgICB1bnNpZ25lZCBpbnQgbmV4dF9pZCA9ICgo KHVuc2lnbmVkIGludCluZXh0ZC0+ZG9tYWluX2lkIDw8IDE2KSB8Ci0gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAodWludDE2X3QpbmV4 dC0+dmNwdV9pZCk7Ci0gICAgICAgICAgICBCVUlMRF9CVUdfT04oTUFYX1ZJ UlRfQ1BVUyA+IDB4ZmZmZik7Ci0KLSAgICAgICAgICAgIC8qCi0gICAgICAg ICAgICAgKiBXaGVuIHNjaGVkdWxpbmcgZnJvbSBhIHZjcHUsIHRvIGlkbGUs IGFuZCBiYWNrIHRvIHRoZSBzYW1lIHZjcHUKLSAgICAgICAgICAgICAqICh3 aGljaCBtaWdodCBiZSBjb21tb24gaW4gYSBsaWdodGx5IGxvYWRlZCBzeXN0 ZW0sIG9yIHdoZW4KLSAgICAgICAgICAgICAqIHVzaW5nIHZjcHUgcGlubmlu ZyksIHRoZXJlIGlzIG5vIG5lZWQgdG8gaXNzdWUgSUJQQiwgYXMgd2UgYXJl Ci0gICAgICAgICAgICAgKiByZXR1cm5pbmcgdG8gdGhlIHNhbWUgc2VjdXJp dHkgY29udGV4dC4KLSAgICAgICAgICAgICAqLwotICAgICAgICAgICAgaWYg KCAqbGFzdF9pZCAhPSBuZXh0X2lkICkKLSAgICAgICAgICAgIHsKLSAgICAg ICAgICAgICAgICBzcGVjX2N0cmxfbmV3X2d1ZXN0X2NvbnRleHQoKTsKLSAg ICAgICAgICAgICAgICAqbGFzdF9pZCA9IG5leHRfaWQ7Ci0gICAgICAgICAg ICB9Ci0gICAgICAgIH0KKyAgICAgICAgLyoKKyAgICAgICAgICogSXNzdWUg YW4gSUJQQiB3aGVuIHNjaGVkdWxpbmcgYSBkaWZmZXJlbnQgdkNQVSBpZiBy ZXF1aXJlZC4KKyAgICAgICAgICoKKyAgICAgICAgICogSUJQQiBjbGVhcnMg dGhlIFJTQi9SQVMvUkFQLCBidXQgdGhhdCdzIGZpbmUgYXMgd2UgbGVhdmUg dGhpcworICAgICAgICAgKiBmdW5jdGlvbiB2aWEgcmVzZXRfc3RhY2tfYW5k X2NhbGxfaW5kKCkgcmF0aGVyIHRoYW4gdmlhIGEgUkVUCisgICAgICAgICAq IGluc3RydWN0aW9uLgorICAgICAgICAgKi8KKyAgICAgICAgaWYgKCBvcHRf aWJwYl9jdHh0X3N3aXRjaCApCisgICAgICAgICAgICBzcGVjX2N0cmxfbmV3 X2d1ZXN0X2NvbnRleHQoKTsKIAogICAgICAgICAvKiBVcGRhdGUgdGhlIHRv cC1vZi1zdGFjayBibG9jayB3aXRoIHRoZSBuZXcgc3BlY3VsYXRpb24gc2V0 dGluZ3MuICovCiAgICAgICAgIGluZm8tPnNjZiA9Cg== --=separator--