Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03172-1 Final 1 1 2025-09-11T12:54:02Z current 2025-09-11T12:54:02Z 2025-09-11T12:54:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: Security issues fixed: - CVE-2025-27466: NULL pointer dereference in the Viridian interface when updating the reference TSC area (bsc#1248807). - CVE-2025-58142: NULL pointer dereference in the Viridian interface due to assumption that the SIM page is mapped when a synthetic timer message has to be delivered (bsc#1248807). - CVE-2025-58143: information leak and reference counter underflow in the Viridian interface due to race in the mapping of the reference TSC page (bsc#1248807). Other issues fixed: - efi: Call FreePages() only if needed (bsc#1027519). - x86/hpet: do local APIC EOI after interrupt processing (bsc#1027519). - x86/hvm/ioreq: Fix condition in hvm_alloc_legacy_ioreq_gfn() (bsc#1027519). - x86/idle: Fix the C6 eoi_errata[] list to include NEHALEM_EX (bsc#1027519). - x86/iommu: setup MMCFG ahead of IOMMU (bsc#1027519). - x86/mce: Adjustments to intel_init_ppin() (bsc#1027519). - x86/mkelf32: pad load segment to 2Mb boundary (bsc#1027519). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3172,SUSE-SLE-Module-Basesystem-15-SP7-2025-3172,SUSE-SLE-Module-Server-Applications-15-SP7-2025-3172 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503172-1/ Link for SUSE-SU-2025:03172-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041661.html E-Mail link for SUSE-SU-2025:03172-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1027519 SUSE Bug 1027519 https://bugzilla.suse.com/1248807 SUSE Bug 1248807 https://www.suse.com/security/cve/CVE-2025-27466/ SUSE CVE CVE-2025-27466 page https://www.suse.com/security/cve/CVE-2025-58142/ SUSE CVE CVE-2025-58142 page https://www.suse.com/security/cve/CVE-2025-58143/ SUSE CVE CVE-2025-58143 page SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 xen-4.20.1_04-150700.3.11.1 xen-devel-4.20.1_04-150700.3.11.1 xen-doc-html-4.20.1_04-150700.3.11.1 xen-libs-4.20.1_04-150700.3.11.1 xen-libs-32bit-4.20.1_04-150700.3.11.1 xen-libs-64bit-4.20.1_04-150700.3.11.1 xen-tools-4.20.1_04-150700.3.11.1 xen-tools-domU-4.20.1_04-150700.3.11.1 xen-tools-xendomains-wait-disk-4.20.1_04-150700.3.11.1 xen-libs-4.20.1_04-150700.3.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 xen-tools-domU-4.20.1_04-150700.3.11.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 xen-4.20.1_04-150700.3.11.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP7 xen-devel-4.20.1_04-150700.3.11.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP7 xen-tools-4.20.1_04-150700.3.11.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP7 xen-tools-xendomains-wait-disk-4.20.1_04-150700.3.11.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP7 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVE-2025-27466 SUSE Linux Enterprise Module for Basesystem 15 SP7:xen-libs-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:xen-tools-domU-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-devel-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-tools-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-tools-xendomains-wait-disk-4.20.1_04-150700.3.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503172-1/ https://www.suse.com/security/cve/CVE-2025-27466.html CVE-2025-27466 https://bugzilla.suse.com/1248807 SUSE Bug 1248807 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVE-2025-58142 SUSE Linux Enterprise Module for Basesystem 15 SP7:xen-libs-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:xen-tools-domU-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-devel-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-tools-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-tools-xendomains-wait-disk-4.20.1_04-150700.3.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503172-1/ https://www.suse.com/security/cve/CVE-2025-58142.html CVE-2025-58142 https://bugzilla.suse.com/1248807 SUSE Bug 1248807 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVE-2025-58143 SUSE Linux Enterprise Module for Basesystem 15 SP7:xen-libs-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:xen-tools-domU-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-devel-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-tools-4.20.1_04-150700.3.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:xen-tools-xendomains-wait-disk-4.20.1_04-150700.3.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503172-1/ https://www.suse.com/security/cve/CVE-2025-58143.html CVE-2025-58143 https://bugzilla.suse.com/1248807 SUSE Bug 1248807