CVE-2025-58147
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2025-11-04

Assigner: Xen Project

Description
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-11-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58147 is a vulnerability in the Xen hypervisor related to Viridian hypercalls that accept a mask of virtual CPU (vCPU) IDs. Specifically, when using the HV_VP_SET Sparse format, a boundary checking bug in the vpmask_set() function can cause out-of-bounds writes while converting the bitmap to Xen's internal format. This means that the hypercall can write data outside the intended memory area, potentially corrupting memory or causing other unintended behavior. [1]

Impact Analysis

This vulnerability can be exploited by a malicious or buggy guest virtual machine (VM) running on an affected Xen hypervisor to cause Denial of Service (DoS) on the host system, leak information, or escalate privileges. Essentially, it can allow an attacker controlling a guest VM to disrupt the host or gain unauthorized access or information. [1]

Detection Guidance

Detection involves identifying if your Xen hypervisor is running vulnerable versions (4.15 and newer) with Viridian hypercalls enabled on x86 HVM guests. Since the vulnerability arises from malformed hypercalls specifying vCPU ID masks, monitoring or logging hypercall activity related to Viridian features may help. However, no specific detection commands or tools are provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include disabling Viridian on x86 HVM guests, as disabling Viridian prevents exploitation. Additionally, applying the patches provided in Xen Security Advisory XSA-475 for your Xen stable branch (4.17.x through 4.20.x) is recommended. Users should update to the tip of the stable branch before applying patches. Note that some Viridian configuration options do not block the vulnerable hypercalls, so disabling Viridian entirely is advised until patches are applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart