Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0303-1 Final 1 1 2026-01-27T16:14:45Z current 2026-01-27T16:14:45Z 2026-01-27T16:14:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: Security fixes: - CVE-2025-58150: Fixed buffer overrun with shadow paging and tracing (XSA-477) (bsc#1256745) - CVE-2026-23553: Fixed incomplete IBPB for vCPU isolation (XSA-479) (bsc#1256747) - CVE-2025-58149: Fixed incorrect removal od permissions on PCI device unplug allow PV guests to access memory of devices no longer assigned to it (XSA-476) (bsc#1252692) - CVE-2025-27466, CVE-2025-58142, CVE-2025-58143: Fixed multiple vulnerabilities in the Viridian interface (XSA-472) (bsc#1248807) Other fixes: - Fixed virtxend service restart. Caused by a failure to start xenstored (bsc#1254180) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-303,SUSE-SUSE-MicroOS-5.2-2026-303 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ Link for SUSE-SU-2026:0303-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023931.html E-Mail link for SUSE-SU-2026:0303-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248807 SUSE Bug 1248807 https://bugzilla.suse.com/1252692 SUSE Bug 1252692 https://bugzilla.suse.com/1254180 SUSE Bug 1254180 https://bugzilla.suse.com/1256745 SUSE Bug 1256745 https://bugzilla.suse.com/1256747 SUSE Bug 1256747 https://www.suse.com/security/cve/CVE-2025-27466/ SUSE CVE CVE-2025-27466 page https://www.suse.com/security/cve/CVE-2025-58142/ SUSE CVE CVE-2025-58142 page https://www.suse.com/security/cve/CVE-2025-58143/ SUSE CVE CVE-2025-58143 page https://www.suse.com/security/cve/CVE-2025-58149/ SUSE CVE CVE-2025-58149 page https://www.suse.com/security/cve/CVE-2025-58150/ SUSE CVE CVE-2025-58150 page https://www.suse.com/security/cve/CVE-2026-23553/ SUSE CVE CVE-2026-23553 page SUSE Linux Enterprise Micro 5.2 xen-4.14.6_28-150300.3.94.1 xen-devel-4.14.6_28-150300.3.94.1 xen-doc-html-4.14.6_28-150300.3.94.1 xen-libs-4.14.6_28-150300.3.94.1 xen-libs-32bit-4.14.6_28-150300.3.94.1 xen-libs-64bit-4.14.6_28-150300.3.94.1 xen-tools-4.14.6_28-150300.3.94.1 xen-tools-domU-4.14.6_28-150300.3.94.1 xen-tools-xendomains-wait-disk-4.14.6_28-150300.3.94.1 xen-libs-4.14.6_28-150300.3.94.1 as a component of SUSE Linux Enterprise Micro 5.2 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVE-2025-27466 SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ https://www.suse.com/security/cve/CVE-2025-27466.html CVE-2025-27466 https://bugzilla.suse.com/1248807 SUSE Bug 1248807 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVE-2025-58142 SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ https://www.suse.com/security/cve/CVE-2025-58142.html CVE-2025-58142 https://bugzilla.suse.com/1248807 SUSE Bug 1248807 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVE-2025-58143 SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ https://www.suse.com/security/cve/CVE-2025-58143.html CVE-2025-58143 https://bugzilla.suse.com/1248807 SUSE Bug 1248807 When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m. CVE-2025-58149 SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ https://www.suse.com/security/cve/CVE-2025-58149.html CVE-2025-58149 https://bugzilla.suse.com/1252692 SUSE Bug 1252692 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. CVE-2025-58150 SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ https://www.suse.com/security/cve/CVE-2025-58150.html CVE-2025-58150 https://bugzilla.suse.com/1256745 SUSE Bug 1256745 In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. CVE-2026-23553 SUSE Linux Enterprise Micro 5.2:xen-libs-4.14.6_28-150300.3.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260303-1/ https://www.suse.com/security/cve/CVE-2026-23553.html CVE-2026-23553 https://bugzilla.suse.com/1256747 SUSE Bug 1256747