CVE-2025-58151
Deferred
Deferred - Pending Action
Insufficient Compiler Barriers in varstored Leading to TOCTOU
Vulnerability report for CVE-2025-58151, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: Xen Project
Description
Description
varstored is a component of the Xapi toolstack handling UEFI Variables
for a VM. It has a communication path with OVMF inside the VM involving
mapping a buffer prepared by OVMF.
Within varstored, there were insufficient compiler barriers, creating
TOCTOU issues with data in the shared buffer.
The exact vulnerable behaviour depends on the code generated by the
compiler. In a build of varstored using default settings, the attacker
can control an index used in a jump table.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vates | varstored | to 2026-01-27 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |