Pkg xen devel - Nov 2025 - Bug#1120075: xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143 CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149

Source: xen
Version: 4.20.0+68-g35cb38b222-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at
security.debian.org>

Hi,

The following vulnerabilities were published for xen.

CVE-2025-27465[0]:
| Certain instructions need intercepting and emulating by Xen.  In
| some cases Xen emulates the instruction by replaying it, using an
| executable stub.  Some instructions may raise an exception, which is
| supposed to be handled gracefully.  Certain replayed instructions
| have additional logic to set up and recover the changes to the
| arithmetic flags.  For replayed instructions where the flags
| recovery logic is used, the metadata for exception handling was
| incorrect, preventing Xen from handling the the exception
| gracefully, treating it as fatal instead.


CVE-2025-27466[1]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code:   1. A NULL pointer
| dereference in the updating of the reference TSC area.     This is
| CVE-2025-27466.   2. A NULL pointer dereference by assuming the SIM
| page is mapped when     a synthetic timer message has to be
| delivered.  This is     CVE-2025-58142.   3. A race in the mapping
| of the reference TSC page, where a guest can     get Xen to free a
| page while still present in the guest physical to     machine (p2m)
| page tables.  This is CVE-2025-58143.


CVE-2025-58142[2]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code:   1. A NULL pointer
| dereference in the updating of the reference TSC area.     This is
| CVE-2025-27466.   2. A NULL pointer dereference by assuming the SIM
| page is mapped when     a synthetic timer message has to be
| delivered.  This is     CVE-2025-58142.   3. A race in the mapping
| of the reference TSC page, where a guest can     get Xen to free a
| page while still present in the guest physical to     machine (p2m)
| page tables.  This is CVE-2025-58143.


CVE-2025-58143[3]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code:   1. A NULL pointer
| dereference in the updating of the reference TSC area.     This is
| CVE-2025-27466.   2. A NULL pointer dereference by assuming the SIM
| page is mapped when     a synthetic timer message has to be
| delivered.  This is     CVE-2025-58142.   3. A race in the mapping
| of the reference TSC page, where a guest can     get Xen to free a
| page while still present in the guest physical to     machine (p2m)
| page tables.  This is CVE-2025-58143.


CVE-2025-58144[4]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling.  A NULL pointer de-reference could result
| on a release build.  This is CVE-2025-58144.  And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed).  Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated.  This is CVE-2025-58145.


CVE-2025-58145[5]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling.  A NULL pointer de-reference could result
| on a release build.  This is CVE-2025-58144.  And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed).  Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated.  This is CVE-2025-58145.


CVE-2025-58147[6]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats.  Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs.   * CVE-2025-58147.  Hypercalls using the
| HV_VP_SET Sparse format can    cause vpmask_set() to write out of
| bounds when converting the bitmap    to Xen's format.   *
| CVE-2025-58148.  Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.


CVE-2025-58148[7]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats.  Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs.   * CVE-2025-58147.  Hypercalls using the
| HV_VP_SET Sparse format can    cause vpmask_set() to write out of
| bounds when converting the bitmap    to Xen's format.   *
| CVE-2025-58148.  Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.


CVE-2025-58149[8]:
| When passing through PCI devices, the detach logic in libxl won't
| remove access permissions to any 64bit memory BARs the device might
| have.  As a result a domain can still have access any 64bit memory
| BAR when such device is no longer assigned to the domain.  For PV
| domains the permission leak allows the domain itself to map the
| memory in the page-tables.  For HVM it would require a compromised
| device model or stubdomain to map the leaked memory into the HVM
| domain p2m.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-27465
    https://www.cve.org/CVERecord?id=CVE-2025-27465
[1] https://security-tracker.debian.org/tracker/CVE-2025-27466
    https://www.cve.org/CVERecord?id=CVE-2025-27466
[2] https://security-tracker.debian.org/tracker/CVE-2025-58142
    https://www.cve.org/CVERecord?id=CVE-2025-58142
[3] https://security-tracker.debian.org/tracker/CVE-2025-58143
    https://www.cve.org/CVERecord?id=CVE-2025-58143
[4] https://security-tracker.debian.org/tracker/CVE-2025-58144
    https://www.cve.org/CVERecord?id=CVE-2025-58144
[5] https://security-tracker.debian.org/tracker/CVE-2025-58145
    https://www.cve.org/CVERecord?id=CVE-2025-58145
[6] https://security-tracker.debian.org/tracker/CVE-2025-58147
    https://www.cve.org/CVERecord?id=CVE-2025-58147
[7] https://security-tracker.debian.org/tracker/CVE-2025-58148
    https://www.cve.org/CVERecord?id=CVE-2025-58148
[8] https://security-tracker.debian.org/tracker/CVE-2025-58149
    https://www.cve.org/CVERecord?id=CVE-2025-58149

Regards,
Salvatore