[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.
In the viridian hypervisor code of Xen, during the update of the TSC reference area, an attempt to dereference a NULL pointer occurs (CWE-395 — Catch of NullPointerException). The bug is triggered during the handling of guest memory pages when the hypervisor does not properly check whether the appropriate pointer is initialized before using it. A malicious or misconfigured guest can provoke this condition, causing the hypervisor to crash.
An attacker with control over a virtual machine running on a vulnerable host can cause a Xen hypervisor crash, resulting in denial of service (DoS) for all other virtual machines running on the same host. A high CVSS score (9.8) indicates potentially broader impact, including the possibility of data confidentiality and integrity violations.
Apply patches available from the vendor according to the references — see XSA-472 advisory published at https://xenbits.xenproject.org/xsa/advisory-472.html
Xen hypervisor — versions indicated in vendor references (XSA-472 advisory on xenbits.xenproject.org)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HXen
OSXen4.13.0 – 4.17.0 (bez)
Related vulnerabilities
Race condition w Xen viridian — zwolnienie strony obecnej w tablicach p2m
Xen: NULL pointer dereference w obsłudze syntetycznych timerów viridian
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by...
An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting ...
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would ...