CVE-2025-58149

EUVD-2025-37346

31.10.2025, 12:15

When passing through PCI devices, the detach logic in libxl won't remove
access permissions to any 64bit memory BARs the device might have. As a
result a domain can still have access any 64bit memory BAR when such
device is no longer assigned to the domain.

For PV domains the permission leak allows the domain itself to map the memory
in the page-tables. For HVM it would require a compromised device model or
stubdomain to map the leaked memory into the HVM domain p2m.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Affected Products (NVD)

Vendor	Product	Version
xen	xen	4.0.0 ≤

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xen

bookworm	4.17.5+72-g01140da4e8-1 fixed
bookworm (security)	4.17.5+72-g01140da4e8-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	4.20.2+7-g1badcf5035-2 fixed
sid	4.20.2+7-g1badcf5035-2 fixed
trixie	4.20.2+7-g1badcf5035-0+deb13u1 fixed
trixie (security)	4.20.2+7-g1badcf5035-0+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xen

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-672 - Operation on a Resource after Expiration or Release
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

References

https://xenbits.xenproject.org/xsa/advisory-476.html

http://www.openwall.com/lists/oss-security/2025/10/24/1

http://xenbits.xen.org/xsa/advisory-476.html