[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.
During the mapping of the Reference TSC Page by Xen's viridian code, a race condition (CWE-366) occurs — a guest can trigger a sequence of operations at the right moment that causes Xen to free a memory page before it is removed from the p2m table (guest physical to machine page tables). As a result, the p2m tables retain an entry pointing to an already freed machine page. Such a situation can lead to unauthorized memory access or its reuse in an uncontrolled manner.
An attacker controlling a guest system can compromise the confidentiality, integrity, or availability of the host and other virtual machines — potentially enabling privilege escalation, virtual machine escape, or hypervisor destabilization.
Apply patches available from the vendor according to the references — see advisory XSA-472 at https://xenbits.xenproject.org/xsa/advisory-472.html
Xen hypervisor — versions indicated in vendor references (advisory XSA-472 on xenbits.xenproject.org)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HXen
OSXen4.13.0 – 4.17.0 (bez)
Related vulnerabilities
Xen: NULL pointer dereference w obsłudze syntetycznych timerów viridian
Błąd NULL pointer dereference w kodzie viridian hiperwizora Xen
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by...
An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting ...
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would ...