Debian update for xen
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2024-28956 CVE-2024-36350 CVE-2024-36357 CVE-2025-27465 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143 CVE-2025-58144 CVE-2025-58145 CVE-2025-58147 CVE-2025-58148 CVE-2025-58149 CVE-2025-1713 |
| CWE-ID | CWE-399 CWE-1342 CWE-388 CWE-476 CWE-362 CWE-264 CWE-787 CWE-125 CWE-833 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system xen (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU109000
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28956
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to escalate privileges on the system.
The vulnerability exists due to an error in the hardware support for prediction-domain isolation dubbed "Indirect Target Selection". A malicious guest can infer the contents of arbitrary host memory, including memory assigned to other guests.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information exposure through microarchitectural state after transient execution
EUVDB-ID: #VU112549
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-36350
CWE-ID:
CWE-1342 - Information Exposure through Microarchitectural State after Transient Execution
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to information leak. A local user can obtain sensitive data from previous stores.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information exposure through microarchitectural state after transient execution
EUVDB-ID: #VU112552
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-36357
CWE-ID:
CWE-1342 - Information Exposure through Microarchitectural State after Transient Execution
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to information leak. A local user can obtain sensitive data from the L1D cache.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper error handling
EUVDB-ID: #VU112090
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-27465
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a local guest to crash the hypervisor.
The vulnerability exists die to incorrect stubs exception handling for flags recovery. A malicious guest can force the hypervisor to crash.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU115004
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green]
CVE-ID: CVE-2025-27466
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when updating the reference TSC area. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.
Update xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) NULL pointer dereference
EUVDB-ID: #VU115005
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green]
CVE-ID: CVE-2025-58142
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error by assuming the SIM page is mapped when a synthetic timer message has to be delivered. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Race condition
EUVDB-ID: #VU115006
Risk: Medium
CVSSv4.0: 2.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green]
CVE-ID: CVE-2025-58143
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to compromise the hypervisor.
The vulnerability exists due to a race condition in the mapping of the reference TSC page. A malicious guest can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) NULL pointer dereference
EUVDB-ID: #VU115007
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green]
CVE-ID: CVE-2025-58144
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when mapping pages belonging to other domains. A malicious guest can perform a denial of service (DoS) attack.
Note, the vulnerability affects ARM-based systems.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU115008
Risk: Medium
CVSSv4.0: 2.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green]
CVE-ID: CVE-2025-58145
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to gain access to sensitive information.
The vulnerability exists due to incorrect implementation of the P2M lock when obtaining page references. A malicious guest can gain access to sensitive information and escalate privileges on the hypervisor.
Note, the vulnerability affects ARM-based systems.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU117432
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-58147
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to escalate privileges on the system.
The vulnerability exists due to a boundary error within the vpmask_set() function when processing HV_VP_SET Sparse format. A malicious guest can initiate hypercall to trigger an out-of-bounds write and execute arbitrary code on the hypervisor.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU117433
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-58148
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the send_ipi() function. A malicious guest can initiate hypercalls using any input format to trigger an out-of-bounds read error and read contents of memory on the hypervisor.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU117653
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-58149
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to access sensitive information.
The vulnerability exists due to PCI detach logic in libxl that does not remove access permissions to any 64bit memory BARs the device might have. A malicious guest can access any 64bit memory BAR when such device is no longer assigned to the domain.
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Deadlock
EUVDB-ID: #VU105104
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green]
CVE-ID: CVE-2025-1713
CWE-ID:
CWE-833 - Deadlock
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking when handling legacy PCI devices pass-through. A malicious low-privileged guest can crash the entire host.
Successful exploitation of the vulnerability requires Intel IOMMU hardware (VT-d).
MitigationUpdate xen package to one of the following versions: 4.17.5+72-g01140da4e8-1, 4.20.2+7-g1badcf5035-0+deb13u1.
Vulnerable software versionsDebian Linux: All versions
xen (Debian package): before 4.17.5+72-g01140da4e8-1
CPE2.3- cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:debian:xen_debian_package:*:*:*:*:*:debian_linux:*:*
https://lists.debian.org/debian-security-announce/2025/msg00234.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
