CVE-2025-58145 (GCVE-0-2025-58145)

Vulnerability from cvelistv5 – Published: 2025-09-11 14:05 – Updated: 2025-11-04 21:13
VLAI?
Summary
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
XEN
References
Impacted products
Vendor Product Version
Xen Xen Unknown: consult Xen advisory XSA-473
Create a notification for this product.
Credits
This issue was discovered by Jan Beulich of SUSE.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-11T14:39:37.372975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-11T14:39:41.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:27.555Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://xenbits.xen.org/xsa/advisory-473.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/09/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-473"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions 4.12 and onwards are vulnerable.  Xen versions 4.11 and\nearlier are not vulnerable.\n\nOnly Arm systems are affected.  x86 systems are not affected."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Jan Beulich of SUSE."
        }
      ],
      "datePublic": "2025-09-09T11:53:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are two issues related to the mapping of pages belonging to other\ndomains: For one, an assertion is wrong there, where the case actually\nneeds handling.  A NULL pointer de-reference could result on a release\nbuild.  This is CVE-2025-58144.\n\nAnd then the P2M lock isn\u0027t held until a page reference was actually\nobtained (or the attempt to do so has failed).  Otherwise the page can\nnot only change type, but even ownership in between, thus allowing\ndomain boundaries to be violated.  This is CVE-2025-58145."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An unprivileged guest can cause a hypervisor crash, causing a Denial of\nService (DoS) of the entire host.  Privilege escalation and information\nleaks cannot be ruled out."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T14:05:36.380Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-473.html"
        }
      ],
      "title": "Arm issues with page refcounting",
      "workarounds": [
        {
          "lang": "en",
          "value": "There is no known mitigation."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2025-58145",
    "datePublished": "2025-09-11T14:05:36.380Z",
    "dateReserved": "2025-08-26T06:48:41.443Z",
    "dateUpdated": "2025-11-04T21:13:27.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58145\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2025-09-11T14:15:42.737\",\"lastModified\":\"2025-11-04T22:16:32.653\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"[This CNA information record relates to multiple CVEs; the\\ntext explains which aspects/vulnerabilities correspond to which CVE.]\\n\\nThere are two issues related to the mapping of pages belonging to other\\ndomains: For one, an assertion is wrong there, where the case actually\\nneeds handling.  A NULL pointer de-reference could result on a release\\nbuild.  This is CVE-2025-58144.\\n\\nAnd then the P2M lock isn\u0027t held until a page reference was actually\\nobtained (or the attempt to do so has failed).  Otherwise the page can\\nnot only change type, but even ownership in between, thus allowing\\ndomain boundaries to be violated.  This is CVE-2025-58145.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:arm:*\",\"versionStartIncluding\":\"4.12.0\",\"versionEndExcluding\":\"4.17.0\",\"matchCriteriaId\":\"9D45F922-4078-49EF-AE0D-C1A8CBBA0F2E\"}]}]}],\"references\":[{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-473.html\",\"source\":\"security@xen.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/09/09/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://xenbits.xen.org/xsa/advisory-473.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://xenbits.xen.org/xsa/advisory-473.html\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/09/09/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:13:27.555Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58145\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-11T14:39:37.372975Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-11T14:29:42.377Z\"}}], \"cna\": {\"title\": \"Arm issues with page refcounting\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Jan Beulich of SUSE.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"An unprivileged guest can cause a hypervisor crash, causing a Denial of\\nService (DoS) of the entire host.  Privilege escalation and information\\nleaks cannot be ruled out.\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-473\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-09-09T11:53:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-473.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There is no known mitigation.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"[This CNA information record relates to multiple CVEs; the\\ntext explains which aspects/vulnerabilities correspond to which CVE.]\\n\\nThere are two issues related to the mapping of pages belonging to other\\ndomains: For one, an assertion is wrong there, where the case actually\\nneeds handling.  A NULL pointer de-reference could result on a release\\nbuild.  This is CVE-2025-58144.\\n\\nAnd then the P2M lock isn\u0027t held until a page reference was actually\\nobtained (or the attempt to do so has failed).  Otherwise the page can\\nnot only change type, but even ownership in between, thus allowing\\ndomain boundaries to be violated.  This is CVE-2025-58145.\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"Xen versions 4.12 and onwards are vulnerable.  Xen versions 4.11 and\\nearlier are not vulnerable.\\n\\nOnly Arm systems are affected.  x86 systems are not affected.\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2025-09-11T14:05:36.380Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58145\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:13:27.555Z\", \"dateReserved\": \"2025-08-26T06:48:41.443Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2025-09-11T14:05:36.380Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.