xen-4.20.1_08-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15719-1 Final 1 1 2025-11-07T00:00:00Z current 2025-11-07T00:00:00Z 2025-11-07T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z xen-4.20.1_08-1.1 on GA media These are all security issues fixed in the xen-4.20.1_08-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15719 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-58149/ SUSE CVE CVE-2025-58149 page openSUSE Tumbleweed xen-4.20.1_08-1.1 xen-devel-4.20.1_08-1.1 xen-doc-html-4.20.1_08-1.1 xen-libs-4.20.1_08-1.1 xen-tools-4.20.1_08-1.1 xen-tools-domU-4.20.1_08-1.1 xen-tools-xendomains-wait-disk-4.20.1_08-1.1 xen-4.20.1_08-1.1 as a component of openSUSE Tumbleweed xen-devel-4.20.1_08-1.1 as a component of openSUSE Tumbleweed xen-doc-html-4.20.1_08-1.1 as a component of openSUSE Tumbleweed xen-libs-4.20.1_08-1.1 as a component of openSUSE Tumbleweed xen-tools-4.20.1_08-1.1 as a component of openSUSE Tumbleweed xen-tools-domU-4.20.1_08-1.1 as a component of openSUSE Tumbleweed xen-tools-xendomains-wait-disk-4.20.1_08-1.1 as a component of openSUSE Tumbleweed When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m. CVE-2025-58149 openSUSE Tumbleweed:xen-4.20.1_08-1.1 openSUSE Tumbleweed:xen-devel-4.20.1_08-1.1 openSUSE Tumbleweed:xen-doc-html-4.20.1_08-1.1 openSUSE Tumbleweed:xen-libs-4.20.1_08-1.1 openSUSE Tumbleweed:xen-tools-4.20.1_08-1.1 openSUSE Tumbleweed:xen-tools-domU-4.20.1_08-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.20.1_08-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58149.html CVE-2025-58149 https://bugzilla.suse.com/1252692 SUSE Bug 1252692