rpm package
opensuse/xen&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/xen&distro=openSUSE%20Tumbleweed
Vulnerabilities (279)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23558 | Hig | 7.8 | < 4.21.1_04-1.1 | 4.21.1_04-1.1 | May 19, 2026 | The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may t | |
| CVE-2026-23557 | Med | 6.5 | < 4.21.1_04-1.1 | 4.21.1_04-1.1 | May 19, 2026 | Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to d | |
| CVE-2025-54518 | Hig | — | < 4.21.1_06-1.1 | 4.21.1_06-1.1 | May 15, 2026 | Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation. | |
| CVE-2026-23555 | Hig | 7.1 | < 4.21.1_02-1.1 | 4.21.1_02-1.1 | Mar 23, 2026 | Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. I | |
| CVE-2026-23554 | Hig | 7.8 | < 4.21.1_02-1.1 | 4.21.1_02-1.1 | Mar 23, 2026 | The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flus | |
| CVE-2026-23553 | — | < 4.21.0_04-1.1 | 4.21.0_04-1.1 | Jan 28, 2026 | In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on | ||
| CVE-2025-58150 | — | < 4.21.0_04-1.1 | 4.21.0_04-1.1 | Jan 28, 2026 | Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. | ||
| CVE-2025-58149 | Hig | 7.5 | < 4.20.1_08-1.1 | 4.20.1_08-1.1 | Oct 31, 2025 | When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the p | |
| CVE-2025-58147 | Hig | 7.5 | < 4.20.1_06-1.1 | 4.20.1_06-1.1 | Oct 31, 2025 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, | |
| CVE-2025-58143 | Cri | 9.8 | < 4.20.1_04-1.1 | 4.20.1_04-1.1 | Sep 11, 2025 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the upd | |
| CVE-2025-27466 | Cri | 9.8 | < 4.20.1_04-1.1 | 4.20.1_04-1.1 | Sep 11, 2025 | [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the upd | |
| CVE-2025-1713 | Hig | 7.5 | < 4.20.0_08-4.1 | 4.20.0_08-4.1 | Jul 17, 2025 | When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. | |
| CVE-2025-27465 | Med | 4.3 | < 4.20.1_02-1.1 | 4.20.1_02-1.1 | Jul 16, 2025 | Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additiona | |
| CVE-2024-36350 | Med | 5.6 | < 4.20.1_04-1.1 | 4.20.1_04-1.1 | Jul 8, 2025 | A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. | |
| CVE-2024-28956 | Med | 5.6 | < 4.20.0_12-1.1 | 4.20.0_12-1.1 | May 13, 2025 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |
| CVE-2024-2201 | Med | 4.7 | < 4.18.2_02-1.1 | 4.18.2_02-1.1 | Dec 19, 2024 | A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. | |
| CVE-2024-45819 | Med | 5.5 | < 4.19.0_06-1.1 | 4.19.0_06-1.1 | Dec 19, 2024 | PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is | |
| CVE-2024-45818 | Med | 6.5 | < 4.19.0_06-1.1 | 4.19.0_06-1.1 | Dec 19, 2024 | The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a | |
| CVE-2024-45817 | Hig | 7.3 | < 4.19.0_04-1.1 | 4.19.0_04-1.1 | Sep 25, 2024 | In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, whic | |
| CVE-2024-31146 | Hig | 7.5 | < 4.19.0_02-1.1 | 4.19.0_02-1.1 | Sep 25, 2024 | When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration canno |
- affected < 4.21.1_04-1.1fixed 4.21.1_04-1.1
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may t
- affected < 4.21.1_04-1.1fixed 4.21.1_04-1.1
Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to d
- affected < 4.21.1_06-1.1fixed 4.21.1_06-1.1
Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.
- affected < 4.21.1_02-1.1fixed 4.21.1_02-1.1
Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. I
- affected < 4.21.1_02-1.1fixed 4.21.1_02-1.1
The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flus
- CVE-2026-23553Jan 28, 2026affected < 4.21.0_04-1.1fixed 4.21.0_04-1.1
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on
- CVE-2025-58150Jan 28, 2026affected < 4.21.0_04-1.1fixed 4.21.0_04-1.1
Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.
- affected < 4.20.1_08-1.1fixed 4.20.1_08-1.1
When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the p
- affected < 4.20.1_06-1.1fixed 4.20.1_06-1.1
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats,
- affected < 4.20.1_04-1.1fixed 4.20.1_04-1.1
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the upd
- affected < 4.20.1_04-1.1fixed 4.20.1_04-1.1
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the upd
- affected < 4.20.0_08-4.1fixed 4.20.0_08-4.1
When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.
- affected < 4.20.1_02-1.1fixed 4.20.1_02-1.1
Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additiona
- affected < 4.20.1_04-1.1fixed 4.20.1_04-1.1
A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.
- affected < 4.20.0_12-1.1fixed 4.20.0_12-1.1
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
- affected < 4.18.2_02-1.1fixed 4.18.2_02-1.1
A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.
- affected < 4.19.0_06-1.1fixed 4.19.0_06-1.1
PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is
- affected < 4.19.0_06-1.1fixed 4.19.0_06-1.1
The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a
- affected < 4.19.0_04-1.1fixed 4.19.0_04-1.1
In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, whic
- affected < 4.19.0_02-1.1fixed 4.19.0_02-1.1
When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration canno
Page 1 of 14