Main Vulnerability Database SB2026010589

SB2026010589 - SUSE update for xen

Published: January 5, 2026

Security Bulletin ID SB2026010589

Severity

Medium

Patch available

YES

Number of vulnerabilities 6

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2025-27466)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when updating the reference TSC area. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.

2) NULL pointer dereference (CVE-ID: CVE-2025-58142)

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error by assuming the SIM page is mapped when a synthetic timer message has to be delivered. A malicious guest can perform a denial of service (DoS) attack against the hypervisor.

3) Race condition (CVE-ID: CVE-2025-58143)

The vulnerability allows a malicious guest to compromise the hypervisor.

The vulnerability exists due to a race condition in the mapping of the reference TSC page. A malicious guest can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

4) Out-of-bounds write (CVE-ID: CVE-2025-58147)

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to a boundary error within the vpmask_set() function when processing HV_VP_SET Sparse format. A malicious guest can initiate hypercall to trigger an out-of-bounds write and execute arbitrary code on the hypervisor.

5) Out-of-bounds read (CVE-ID: CVE-2025-58148)

The vulnerability allows a malicious guest to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the send_ipi() function. A malicious guest can initiate hypercalls using any input format to trigger an out-of-bounds read error and read contents of memory on the hypervisor.

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-58149)

The vulnerability allows a malicious guest to access sensitive information.

The vulnerability exists due to PCI detach logic in libxl that does not remove access permissions to any 64bit memory BARs the device might have. A malicious guest can access any 64bit memory BAR when such device is no longer assigned to the domain.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2026/suse-su-20260012-1/

Vulnerable Software

SUSE Linux Enterprise Server 15 SP6: LTSS
Server Applications Module: 15-SP6
Basesystem Module: 15-SP6
SUSE Linux Enterprise Real Time 15: SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
xen-libs-64bit-debuginfo: before 4.18.5_08-150600.3.34.2
xen-libs-64bit: before 4.18.5_08-150600.3.34.2
xen-tools-xendomains-wait-disk: before 4.18.5_08-150600.3.34.2
xen-tools: before 4.18.5_08-150600.3.34.2
xen-tools-debuginfo: before 4.18.5_08-150600.3.34.2
xen-doc-html: before 4.18.5_08-150600.3.34.2
xen: before 4.18.5_08-150600.3.34.2
xen-libs-32bit: before 4.18.5_08-150600.3.34.2
xen-libs-32bit-debuginfo: before 4.18.5_08-150600.3.34.2
xen-libs: before 4.18.5_08-150600.3.34.2
xen-debugsource: before 4.18.5_08-150600.3.34.2
xen-tools-domU: before 4.18.5_08-150600.3.34.2
xen-tools-domU-debuginfo: before 4.18.5_08-150600.3.34.2
xen-libs-debuginfo: before 4.18.5_08-150600.3.34.2
xen-devel: before 4.18.5_08-150600.3.34.2