MGASA-2025-0270

Double unlock in x86 guest IRQ handling. (CVE-2024-31143) Xapi: Metadata injection attack against backup/restore functionality. (CVE-2024-31144) Error handling in x86 IOMMU identity mapping. (CVE-2024-31145) PCI device pass-through with shared resources. (CVE-2024-31146) x86: Deadlock in vlapicerror(). (CVE-2024-45817) Deadlock in x86 HVM standard VGA handling. (CVE-2024-45818) libxl leaks data to PVH guests via ACPI tables. (CVE-2024-45819) Backend can crash Linux netfront. (CVE-2024-53240) Xen hypercall page unsafe against speculative attacks. (CVE-2024-53241) Deadlock potential with VT-d and legacy PCI device pass-through. (CVE-2025-1713) x86: Indirect Target Selection. (CVE-2024-28956) x86: Incorrect stubs exception handling for flags recovery. (CVE-2025-27465) TSA-SQ (TSA in the Store Queues). (CVE-2024-36350) TSA-L1 (TSA in the L1 data cache). (CVE-2024-36357) A NULL pointer dereference in the updating of the reference TSC area. (CVE-2025-27466) A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. (CVE-2025-58142) A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. (CVE-2025-58143) An assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. (CVE-2025-58144) The P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. (CVE-2025-58145) XAPI UTF-8 string handling. (CVE-2025-58146) Hypercalls using the HVVPSET Sparse format can cause vpmaskset() to write out of bounds when converting the bitmap to Xen's format. (CVE-2025-58147) Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.(CVE-2025-58148) Incorrect removal of permissions on PCI device unplug. (CVE-2025-58149)