CVEFinder.io

CVE-2025-58147

⚠ī¸ high
🔍 Scan for this CVE
Summary

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap

Description

[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]

Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in
one of three formats. Xen has boundary checking bugs with all three
formats, which can cause out-of-bounds reads and writes while processing
the inputs.

* CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can
cause vpmask_set() to write out of bounds when converting the bitmap
to Xen's format.

* CVE-2025-58148. Hypercalls using any input format can cause
send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
vCPU pointer.

CVSS Score
7.5
High
EPSS Score
0.0
Exploit Probability
Published Date
2025-10-31
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.1% of all 321,566 vulnerabilities in our database.

#99,499
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Oct 31, 2025
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
🏆 Discovered By
This issue was discovered by Teddy Astie of Vates
SSVC data provided by CISA
Last Modified 2026-01-14
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE IDs (Weakness Types)
CWE-125

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
xen xen Affected
≥ 4.15.0

🔗 References 3

https://xenbits.xenproject.org/xsa/advisory-475.html
Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/21/1
Mailing List Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-475.html
Patch Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-23557 đŸ”ļ medium 6.5 - Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() tri... 2026-05-19
CVE-2026-23558 ⚠ī¸ high 7.8 - The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or ... 2026-05-19
CVE-2026-23554 ⚠ī¸ high 7.8 0.0 The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, ... 2026-03-23
CVE-2026-23555 ⚠ī¸ high 7.1 0.0 Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstor... 2026-03-23
CVE-2025-58150 ⚠ī¸ high 8.8 0.0 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables... 2026-01-28
CVE-2026-23553 ℹī¸ low 2.9 0.0 In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the pr... 2026-01-28
These CVEs affect the same products