CVE-2025-58149
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2025-11-04

Assigner: Xen Project

Description
When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-11-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58149
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
xen xen 4.18
xen xen 4.20
xen xen 4.17
xen xen *
xen xen 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Xen's libxl library when PCI devices are unplugged during PCI passthrough. The detach logic fails to remove access permissions to any 64-bit memory Base Address Registers (BARs) of the PCI device. As a result, a domain can still access the 64-bit memory BARs of devices no longer assigned to it. For paravirtualized (PV) domains, this means the domain can directly map the leaked memory in its page tables. For hardware virtual machine (HVM) domains, exploiting this requires an additional compromised device model or stubdomain to map the leaked memory into the domain's physical-to-machine memory mapping. [1]

Impact Analysis

The impact of this vulnerability is that a domain may retain unauthorized access to memory regions of PCI devices that have been detached, potentially leading to information disclosure. For PV domains, the domain itself can map and access this leaked memory directly, which could expose sensitive data. For HVM domains, exploitation requires further compromise but could similarly lead to unauthorized memory access. This unauthorized access could be leveraged by attackers to gain sensitive information or compromise system security. [1]

Detection Guidance

Detection of this vulnerability involves checking whether PCI passthrough devices have been hot unplugged without proper removal of access permissions to their 64-bit memory BARs. Since the vulnerability is related to the libxl toolstack managing PCI devices, you can inspect the current PCI device assignments and memory mappings for domains using commands like 'xl pci-list <domain>' to list PCI devices assigned to a domain and 'xl mem-list <domain>' to review memory mappings. Additionally, monitoring for hot unplug events of PCI devices and verifying if the domain still retains access to the device's 64-bit BAR memory regions can help detect the issue. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding hot unplug of PCI devices from domains to prevent permission leaks. Limiting PCI passthrough usage to hardware virtual machine (HVM) domains only is also recommended, as exploitation in HVM domains requires additional compromised components, reducing risk. Applying the official patches provided for this vulnerability (xsa476.patch and its variants for different Xen versions) is the definitive fix. Users should update to the tip of the stable branch before applying these patches to ensure full remediation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart