SB2025120308 - Debian update for xen

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025120308

SB2025120308 - Debian update for xen

Published: December 3, 2025

Security Bulletin ID SB2025120308
Severity
High
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 69% Low 23%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2024-28956)

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to an error in the hardware support for prediction-domain isolation dubbed "Indirect Target Selection". A malicious guest can infer the contents of arbitrary host memory, including memory assigned to other guests.


2) Information exposure through microarchitectural state after transient execution (CVE-ID: CVE-2024-36350)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to information leak. A local user can obtain sensitive data from previous stores.


3) Information exposure through microarchitectural state after transient execution (CVE-ID: CVE-2024-36357)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to information leak. A local user can obtain sensitive data from the L1D cache.


4) Improper error handling (CVE-ID: CVE-2025-27465)

The vulnerability allows a local guest to crash the hypervisor.

The vulnerability exists die to incorrect stubs exception handling for flags recovery. A malicious guest can force the hypervisor to crash. 


5) NULL pointer dereference (CVE-ID: CVE-2025-27466)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when updating the reference TSC area. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.



6) NULL pointer dereference (CVE-ID: CVE-2025-58142)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error by assuming the SIM page is mapped when a synthetic timer message has to be delivered. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.


7) Race condition (CVE-ID: CVE-2025-58143)

The vulnerability allows a malicious guest to compromise the hypervisor.

The vulnerability exists due to a race condition in the mapping of the reference TSC page. A malicious guest can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.


8) NULL pointer dereference (CVE-ID: CVE-2025-58144)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when mapping pages belonging to other domains. A malicious guest can perform a denial of service (DoS) attack.

Note, the vulnerability affects ARM-based systems.


9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-58145)

The vulnerability allows a malicious guest to gain access to sensitive information.

The vulnerability exists due to incorrect implementation of the P2M lock when obtaining page references. A malicious guest can gain access to sensitive information and escalate privileges on the hypervisor. 

Note, the vulnerability affects ARM-based systems.


10) Out-of-bounds write (CVE-ID: CVE-2025-58147)

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to a boundary error within the vpmask_set() function when processing HV_VP_SET Sparse format. A malicious guest can initiate  hypercall to trigger an out-of-bounds write and execute arbitrary code on the hypervisor. 


11) Out-of-bounds read (CVE-ID: CVE-2025-58148)

The vulnerability allows a malicious guest to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the send_ipi() function. A malicious guest can initiate hypercalls using any input format to trigger an out-of-bounds read error and read contents of memory on the hypervisor.


12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-58149)

The vulnerability allows a malicious guest to access sensitive information. 

The vulnerability exists due to PCI detach logic in libxl that does not remove access permissions to any 64bit memory BARs the device might have. A malicious guest can access any 64bit memory BAR when such device is no longer assigned to the domain.


13) Deadlock (CVE-ID: CVE-2025-1713)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking when handling legacy PCI devices pass-through. A malicious low-privileged guest can crash the entire host. 

Successful exploitation of the vulnerability requires Intel IOMMU hardware (VT-d).


Remediation

Install update from vendor's website.

References