CVE-2025-27466

11.09.2025, 14:15

[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]

There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:

 1. A NULL pointer dereference in the updating of the reference TSC area.
    This is CVE-2025-27466.

 2. A NULL pointer dereference by assuming the SIM page is mapped when
    a synthetic timer message has to be delivered.  This is
    CVE-2025-58142.

 3. A race in the mapping of the reference TSC page, where a guest can
    get Xen to free a page while still present in the guest physical to
    machine (p2m) page tables.  This is CVE-2025-58143.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
XEN	CNA	---				---
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Vendor	Product	Version
xen	xen	4.13.0 ≤ 𝑥 < 4.17.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xen

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	4.17.5+72-g01140da4e8-1 fixed
trixie	vulnerable
trixie (security)	4.20.2+7-g1badcf5035-0+deb13u1 fixed
forky	4.20.2+7-g1badcf5035-2 fixed
sid	4.20.2+7-g1badcf5035-2 fixed

Common Weakness Enumeration

CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference
Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

References

https://xenbits.xenproject.org/xsa/advisory-472.html

http://www.openwall.com/lists/oss-security/2025/09/09/1

http://xenbits.xen.org/xsa/advisory-472.html