SB2026010589 - SUSE update for xen
Published: January 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2025-27466)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when updating the reference TSC area. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.
2) NULL pointer dereference (CVE-ID: CVE-2025-58142)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error by assuming the SIM page is mapped when a synthetic timer message has to be delivered. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.
3) Race condition (CVE-ID: CVE-2025-58143)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green
The vulnerability allows a malicious guest to compromise the hypervisor.
The vulnerability exists due to a race condition in the mapping of the reference TSC page. A malicious guest can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
4) Out-of-bounds write (CVE-ID: CVE-2025-58147)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a malicious guest to escalate privileges on the system.
The vulnerability exists due to a boundary error within the vpmask_set() function when processing HV_VP_SET Sparse format. A malicious guest can initiate hypercall to trigger an out-of-bounds write and execute arbitrary code on the hypervisor.
5) Out-of-bounds read (CVE-ID: CVE-2025-58148)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a malicious guest to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the send_ipi() function. A malicious guest can initiate hypercalls using any input format to trigger an out-of-bounds read error and read contents of memory on the hypervisor.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-58149)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a malicious guest to access sensitive information.
The vulnerability exists due to PCI detach logic in libxl that does not remove access permissions to any 64bit memory BARs the device might have. A malicious guest can access any 64bit memory BAR when such device is no longer assigned to the domain.
Remediation
Install update from vendor's website.