CVE-2025-58150
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Xen | Xen | consult Xen advisory XSA-477 | unknown |
Weaknesses
Workarounds
Running HVM guests in HAP mode only will avoid the vulnerability.
Not enabling tracing will also avoid the vulnerability. Tracing is enabled by the "tbuf_size=" command line option, or by running tools like xentrace or xenbaked in Dom0. Note that on a running system stopping xentrace / xenbaked would disable tracing. For xentrace, however, this additionally requires that it wasn't started with the -x option. Stopping previously enabled tracing can of course only prevent future damage; prior damage may have occurred and may manifest only later.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.