Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-58150
PUBLISHED
More InfoOfficial Page
Assigner-XEN
Assigner Org ID-23aa2041-22e1-471f-9209-9b7396fa234f
View Known Exploited Vulnerability (KEV) details
Published At-28 Jan, 2026 | 15:33
Updated At-28 Jan, 2026 | 16:46
Rejected At-
▼CVE Numbering Authority (CNA)
x86: buffer overrun with shadow paging + tracing

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

Affected Products
Vendor
Xen ProjectXen
Product
Xen
Default Status
unknown
Versions

unknown

  • consult Xen advisory XSA-477
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
N/AThe exact effects depend on what's adjacent to the variables in question. The most likely effects are bogus trace data, but none of privilege escalation, information leaks, or Denial of Service (DoS) can be excluded without detailed analysis of the particular build of Xen.
CAPEC ID: N/A
Description: The exact effects depend on what's adjacent to the variables in question. The most likely effects are bogus trace data, but none of privilege escalation, information leaks, or Denial of Service (DoS) can be excluded without detailed analysis of the particular build of Xen.
Solutions
Configurations

Only x86 systems are vulnerable. Arm systems are not vulnerable. Only HVM guests running in shadow paging mode and with tracing enabled can leverage the vulnerability.

Workarounds

Running HVM guests in HAP mode only will avoid the vulnerability. Not enabling tracing will also avoid the vulnerability. Tracing is enabled by the "tbuf_size=" command line option, or by running tools like xentrace or xenbaked in Dom0. Note that on a running system stopping xentrace / xenbaked would disable tracing. For xentrace, however, this additionally requires that it wasn't started with the -x option. Stopping previously enabled tracing can of course only prevent future damage; prior damage may have occurred and may manifest only later.

Exploits
Credits
finder
This issue was discovered by Jan Beulich of SUSE.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://xenbits.xenproject.org/xsa/advisory-477.html
N/A
Hyperlink: https://xenbits.xenproject.org/xsa/advisory-477.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/01/27/1
N/A
http://xenbits.xen.org/xsa/advisory-477.html
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/27/1
Resource: N/A
Hyperlink: http://xenbits.xen.org/xsa/advisory-477.html
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-787CWE-787 Out-of-bounds Write
Type: CWE
CWE ID: CWE-787
Description: CWE-787 Out-of-bounds Write
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found