Pkg xen devel - Nov 2025 - Bug#1120075: xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143 CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149

Source: xen
Version: 4.20.0+68-g35cb38b222-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at
security.debian.org>

Hi,

The following vulnerabilities were published for xen.

CVE-2025-27465[0]:
| Certain instructions need intercepting and emulating by Xen.  In
| some cases Xen emulates the instruction by replaying it, using an
| executable stub.  Some instructions may raise an exception, which is
| supposed to be handled gracefully.  Certain replayed instructions
| have additional logic to set up and recover the changes to the
| arithmetic flags.  For replayed instructions where the flags
| recovery logic is used, the metadata for exception handling was
| incorrect, preventing Xen from handling the the exception
| gracefully, treating it as fatal instead.


CVE-2025-27466[1]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code:   1. A NULL pointer
| dereference in the updating of the reference TSC area.     This is
| CVE-2025-27466.   2. A NULL pointer dereference by assuming the SIM
| page is mapped when     a synthetic timer message has to be
| delivered.  This is     CVE-2025-58142.   3. A race in the mapping
| of the reference TSC page, where a guest can     get Xen to free a
| page while still present in the guest physical to     machine (p2m)
| page tables.  This is CVE-2025-58143.


CVE-2025-58142[2]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code:   1. A NULL pointer
| dereference in the updating of the reference TSC area.     This is
| CVE-2025-27466.   2. A NULL pointer dereference by assuming the SIM
| page is mapped when     a synthetic timer message has to be
| delivered.  This is     CVE-2025-58142.   3. A race in the mapping
| of the reference TSC page, where a guest can     get Xen to free a
| page while still present in the guest physical to     machine (p2m)
| page tables.  This is CVE-2025-58143.


CVE-2025-58143[3]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code:   1. A NULL pointer
| dereference in the updating of the reference TSC area.     This is
| CVE-2025-27466.   2. A NULL pointer dereference by assuming the SIM
| page is mapped when     a synthetic timer message has to be
| delivered.  This is     CVE-2025-58142.   3. A race in the mapping
| of the reference TSC page, where a guest can     get Xen to free a
| page while still present in the guest physical to     machine (p2m)
| page tables.  This is CVE-2025-58143.


CVE-2025-58144[4]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling.  A NULL pointer de-reference could result
| on a release build.  This is CVE-2025-58144.  And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed).  Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated.  This is CVE-2025-58145.


CVE-2025-58145[5]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling.  A NULL pointer de-reference could result
| on a release build.  This is CVE-2025-58144.  And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed).  Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated.  This is CVE-2025-58145.


CVE-2025-58147[6]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats.  Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs.   * CVE-2025-58147.  Hypercalls using the
| HV_VP_SET Sparse format can    cause vpmask_set() to write out of
| bounds when converting the bitmap    to Xen's format.   *
| CVE-2025-58148.  Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.


CVE-2025-58148[7]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats.  Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs.   * CVE-2025-58147.  Hypercalls using the
| HV_VP_SET Sparse format can    cause vpmask_set() to write out of
| bounds when converting the bitmap    to Xen's format.   *
| CVE-2025-58148.  Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.


CVE-2025-58149[8]:
| When passing through PCI devices, the detach logic in libxl won't
| remove access permissions to any 64bit memory BARs the device might
| have.  As a result a domain can still have access any 64bit memory
| BAR when such device is no longer assigned to the domain.  For PV
| domains the permission leak allows the domain itself to map the
| memory in the page-tables.  For HVM it would require a compromised
| device model or stubdomain to map the leaked memory into the HVM
| domain p2m.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-27465
    https://www.cve.org/CVERecord?id=CVE-2025-27465
[1] https://security-tracker.debian.org/tracker/CVE-2025-27466
    https://www.cve.org/CVERecord?id=CVE-2025-27466
[2] https://security-tracker.debian.org/tracker/CVE-2025-58142
    https://www.cve.org/CVERecord?id=CVE-2025-58142
[3] https://security-tracker.debian.org/tracker/CVE-2025-58143
    https://www.cve.org/CVERecord?id=CVE-2025-58143
[4] https://security-tracker.debian.org/tracker/CVE-2025-58144
    https://www.cve.org/CVERecord?id=CVE-2025-58144
[5] https://security-tracker.debian.org/tracker/CVE-2025-58145
    https://www.cve.org/CVERecord?id=CVE-2025-58145
[6] https://security-tracker.debian.org/tracker/CVE-2025-58147
    https://www.cve.org/CVERecord?id=CVE-2025-58147
[7] https://security-tracker.debian.org/tracker/CVE-2025-58148
    https://www.cve.org/CVERecord?id=CVE-2025-58148
[8] https://security-tracker.debian.org/tracker/CVE-2025-58149
    https://www.cve.org/CVERecord?id=CVE-2025-58149

Regards,
Salvatore

Hi!

On 11/4/25 9:07 PM, Salvatore Bonaccorso wrote:
> Source: xen
> Version: 4.20.0+68-g35cb38b222-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at
security.debian.org>
> 
> Hi,
> 
> The following vulnerabilities were published for xen.
> 
> [...]
FYI, Maxi and I are working on this now, the (security-)updates for
unstable (4.20), stable (4.20) and oldstable (4.17).

We're currently running into a FTBFS on arm64 with unstable chroot, and
are consulting upstream about that. Otherwise, things seem OK so far.

So, you can expect us to reach out to the Security Team soon about this. :)

Thanks,
Hans

Your message dated Sat, 29 Nov 2025 11:05:44 +0000
with message-id <E1vPIls-002ALF-1P at fasolo.debian.org>
and subject line Bug#1120075: fixed in xen 4.20.2+7-g1badcf5035-1
has caused the Debian Bug report #1120075,
regarding xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
1120075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120075
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Salvatore Bonaccorso <carnil at debian.org>
Subject: xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
Date: Tue, 04 Nov 2025 21:07:17 +0100
Size: 9087
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20251129/674cb786/attachment.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Debian FTP Masters <ftpmaster at ftp-master.debian.org>
Subject: Bug#1120075: fixed in xen 4.20.2+7-g1badcf5035-1
Date: Sat, 29 Nov 2025 11:05:44 +0000
Size: 7850
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20251129/674cb786/attachment-0001.eml>

Your message dated Fri, 05 Dec 2025 16:03:35 +0000
with message-id <E1vRYHP-001206-0C at fasolo.debian.org>
and subject line Bug#1120075: fixed in xen 4.17.5+72-g01140da4e8-1
has caused the Debian Bug report #1120075,
regarding xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
1120075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120075
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Salvatore Bonaccorso <carnil at debian.org>
Subject: xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
Date: Tue, 04 Nov 2025 21:07:17 +0100
Size: 9087
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20251205/1edd2782/attachment.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Debian FTP Masters <ftpmaster at ftp-master.debian.org>
Subject: Bug#1120075: fixed in xen 4.17.5+72-g01140da4e8-1
Date: Fri, 05 Dec 2025 16:03:35 +0000
Size: 8569
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20251205/1edd2782/attachment-0001.eml>

Your message dated Sat, 20 Dec 2025 11:17:08 +0000
with message-id <E1vWuxQ-004ulw-2x at fasolo.debian.org>
and subject line Bug#1120075: fixed in xen 4.20.2+7-g1badcf5035-0+deb13u1
has caused the Debian Bug report #1120075,
regarding xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
1120075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120075
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Salvatore Bonaccorso <carnil at debian.org>
Subject: xen: CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143
CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149
Date: Tue, 04 Nov 2025 21:07:17 +0100
Size: 9087
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20251220/29402109/attachment.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Debian FTP Masters <ftpmaster at ftp-master.debian.org>
Subject: Bug#1120075: fixed in xen 4.20.2+7-g1badcf5035-0+deb13u1
Date: Sat, 20 Dec 2025 11:17:08 +0000
Size: 7974
URL:
<http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20251220/29402109/attachment-0001.eml>