SB2026012874 - SUSE update for xen

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-58149)

The vulnerability allows a malicious guest to access sensitive information. 

The vulnerability exists due to PCI detach logic in libxl that does not remove access permissions to any 64bit memory BARs the device might have. A malicious guest can access any 64bit memory BAR when such device is no longer assigned to the domain.

2) Out-of-bounds read (CVE-ID: CVE-2025-58150)

The vulnerability allows a malicious guest to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in Xen with shadow paging + tracing on x86 systems. An HVM guests running in shadow paging mode can trigger an out-of-bounds read error and read contents of memory on the system.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-23553)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incomplete IBPB for vCPU isolation. A guest processes can leverage information leaks to obtain information intended to be private to other entities in a guest.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2026/suse-su-20260328-1/