{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-58150", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2025-08-26T06:48:41.444Z", "datePublished": "2026-01-28T15:33:17.316Z", "dateUpdated": "2026-01-28T16:46:04.355Z"}, "containers": {"cna": {"title": "x86: buffer overrun with shadow paging + tracing", "datePublic": "2026-01-27T12:00:00.000Z", "descriptions": [{"lang": "en", "value": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing. Some of these variables are written to\nwith guest controlled data, of guest controllable size. That size can\nbe larger than the variable, and bounding of the writes was missing."}], "impacts": [{"descriptions": [{"lang": "en", "value": "The exact effects depend on what's adjacent to the variables in\nquestion. The most likely effects are bogus trace data, but none of\nprivilege escalation, information leaks, or Denial of Service (DoS) can\nbe excluded without detailed analysis of the particular build of Xen."}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-477"}]}], "configurations": [{"lang": "en", "value": "Only x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly HVM guests running in shadow paging mode and with tracing enabled\ncan leverage the vulnerability."}], "workarounds": [{"lang": "en", "value": "Running HVM guests in HAP mode only will avoid the vulnerability.\n\nNot enabling tracing will also avoid the vulnerability. Tracing is\nenabled by the \"tbuf_size=\" command line option, or by running tools\nlike xentrace or xenbaked in Dom0. Note that on a running system\nstopping xentrace / xenbaked would disable tracing. For xentrace,\nhowever, this additionally requires that it wasn't started with the -x\noption. Stopping previously enabled tracing can of course only prevent\nfuture damage; prior damage may have occurred and may manifest only\nlater."}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Jan Beulich of SUSE."}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-477.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2026-01-28T15:33:17.316Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/01/27/1"}, {"url": "http://xenbits.xen.org/xsa/advisory-477.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-28T16:11:53.448Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T16:44:38.812623Z", "id": "CVE-2025-58150", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:46:04.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/01/27/1"}, {"url": "http://xenbits.xen.org/xsa/advisory-477.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-28T16:11:53.448Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-58150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T16:44:38.812623Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:45:27.977Z"}}], "cna": {"title": "x86: buffer overrun with shadow paging + tracing", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Jan Beulich of SUSE."}], "impacts": [{"descriptions": [{"lang": "en", "value": "The exact effects depend on what's adjacent to the variables in\nquestion. The most likely effects are bogus trace data, but none of\nprivilege escalation, information leaks, or Denial of Service (DoS) can\nbe excluded without detailed analysis of the particular build of Xen."}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-477"}], "defaultStatus": "unknown"}], "datePublic": "2026-01-27T12:00:00.000Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-477.html"}], "workarounds": [{"lang": "en", "value": "Running HVM guests in HAP mode only will avoid the vulnerability.\n\nNot enabling tracing will also avoid the vulnerability. Tracing is\nenabled by the \"tbuf_size=\" command line option, or by running tools\nlike xentrace or xenbaked in Dom0. Note that on a running system\nstopping xentrace / xenbaked would disable tracing. For xentrace,\nhowever, this additionally requires that it wasn't started with the -x\noption. Stopping previously enabled tracing can of course only prevent\nfuture damage; prior damage may have occurred and may manifest only\nlater."}], "descriptions": [{"lang": "en", "value": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing. Some of these variables are written to\nwith guest controlled data, of guest controllable size. That size can\nbe larger than the variable, and bounding of the writes was missing."}], "configurations": [{"lang": "en", "value": "Only x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly HVM guests running in shadow paging mode and with tracing enabled\ncan leverage the vulnerability."}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2026-01-28T15:33:17.316Z"}}}, "cveMetadata": {"cveId": "CVE-2025-58150", "state": "PUBLISHED", "dateUpdated": "2026-01-28T16:46:04.355Z", "dateReserved": "2025-08-26T06:48:41.444Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2026-01-28T15:33:17.316Z", "assignerShortName": "XEN"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Shadow mode tracing code uses a set of per-CPU variables to avoid\ncumbersome parameter passing. Some of these variables are written to\nwith guest controlled data, of guest controllable size. That size can\nbe larger than the variable, and bounding of the writes was missing."}], "id": "CVE-2025-58150", "lastModified": "2026-01-28T17:16:07.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-28T16:16:12.880", "references": [{"source": "security@xen.org", "url": "https://xenbits.xenproject.org/xsa/advisory-477.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/01/27/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://xenbits.xen.org/xsa/advisory-477.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}