CVE-2025-58149 – This Xen hypervisor vulnerability allows a gues... (How to Fix)

Q: What is the severity of CVE-2025-58149?

CVE-2025-58149 has a CVSS score of 7.5 (HIGH). This Xen hypervisor vulnerability allows a guest domain to retain access to 64-bit memory BARs (Base Address Registers) after PCI device detachment, creating a permission leak. PV domains can directly map this memory, while HVM domains require a compromised device model. Affects Xen-based virtualization environments using PCI passthrough.

📋 TL;DR

This Xen hypervisor vulnerability allows a guest domain to retain access to 64-bit memory BARs (Base Address Registers) after PCI device detachment, creating a permission leak. PV domains can directly map this memory, while HVM domains require a compromised device model. Affects Xen-based virtualization environments using PCI passthrough.

💻 Affected Systems

Products:

Xen Hypervisor

Versions: All versions up to and including 4.19.0

Operating Systems: Linux distributions with Xen (XenServer, Citrix Hypervisor, etc.)

Default Config Vulnerable: ✅ No

Notes: Only affects systems using PCI passthrough with 64-bit memory BAR devices that are detached from guest domains.

📦 What is this software?

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation allowing guest VMs to access host memory regions, potentially leading to host compromise, data exfiltration, or VM escape.

🟠

Likely Case

Guest VM memory corruption, information disclosure, or denial of service through unauthorized memory access.

🟢

If Mitigated

Limited impact if PCI passthrough is not used or if affected devices are not detached during runtime.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires guest VM access and PCI passthrough usage. PV domains have simpler exploitation path than HVM domains.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen 4.19.1 and later

Vendor Advisory: https://xenbits.xenproject.org/xsa/advisory-476.html

Restart Required: Yes

Instructions:

1. Update Xen to version 4.19.1 or later. 2. Apply vendor-specific patches if using downstream distributions. 3. Reboot hypervisor and affected guest VMs.

🔧 Temporary Workarounds

Disable PCI passthrough

linux

Prevent use of PCI device passthrough to vulnerable domains

xl pci-assignable-remove <device_id>
xl pci-detach <domain> <device_id>

Avoid detaching PCI devices

all

Do not detach PCI devices with 64-bit memory BARs from running domains

🧯 If You Can't Patch

Isolate affected systems from critical infrastructure
Monitor for unusual memory access patterns in guest VMs

🔍 How to Verify

Check if Vulnerable:

Check Xen version with 'xl info' or 'xen-detect'. If version is 4.19.0 or earlier and PCI passthrough is used, system is vulnerable.

Check Version:

xl info | grep xen_version

Verify Fix Applied:

Verify Xen version is 4.19.1 or later with 'xl info' and check that no permission errors occur during PCI device detachment.

📡 Detection & Monitoring

Log Indicators:

Xen hypervisor logs showing PCI device detachment events
Unexpected memory mapping operations in guest domains

Network Indicators:

Unusual inter-VM communication patterns if memory is shared

SIEM Query:

source="xen" AND "pci-detach" OR "BAR" AND "permission"

📊 Metadata

CVE ID: CVE-2025-58149

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-672

EPSS Score: 0.05% exploit probability (14.2th percentile)

Published: October 31, 2025

Last Updated: January 14, 2026

🔗 References

https://xenbits.xenproject.org/xsa/advisory-476.html Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/24/1 Mailing List,Patch,Third Party Advisory
http://xenbits.xen.org/xsa/advisory-476.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58149, you might also want to check these: