CVE-2025-58150

Summary

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

Affected Software

VendorProductVersion RangeStatus
XenXenconsult Xen advisory XSA-477unknown

Weaknesses

Workarounds

Running HVM guests in HAP mode only will avoid the vulnerability.

Not enabling tracing will also avoid the vulnerability. Tracing is enabled by the "tbuf_size=" command line option, or by running tools like xentrace or xenbaked in Dom0. Note that on a running system stopping xentrace / xenbaked would disable tracing. For xentrace, however, this additionally requires that it wasn't started with the -x option. Stopping previously enabled tracing can of course only prevent future damage; prior damage may have occurred and may manifest only later.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References