Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0328-1 Final 1 1 2026-01-28T15:39:28Z current 2026-01-28T15:39:28Z 2026-01-28T15:39:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: Security fixes: - CVE-2025-58150: Fixed buffer overrun with shadow paging and tracing (XSA-477) (bsc#1256745) - CVE-2026-23553: Fixed incomplete IBPB for vCPU isolation (XSA-479) (bsc#1256747) - CVE-2025-58149: Fixed incorrect removal od permissions on PCI device unplug allow PV guests to access memory of devices no longer assigned to it (XSA-476) (bsc#1252692) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-328,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-328 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260328-1/ Link for SUSE-SU-2026:0328-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023973.html E-Mail link for SUSE-SU-2026:0328-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1252692 SUSE Bug 1252692 https://bugzilla.suse.com/1256745 SUSE Bug 1256745 https://bugzilla.suse.com/1256747 SUSE Bug 1256747 https://www.suse.com/security/cve/CVE-2025-58149/ SUSE CVE CVE-2025-58149 page https://www.suse.com/security/cve/CVE-2025-58150/ SUSE CVE CVE-2025-58150 page https://www.suse.com/security/cve/CVE-2026-23553/ SUSE CVE CVE-2026-23553 page SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-4.12.4_64-3.137.1 xen-devel-4.12.4_64-3.137.1 xen-doc-html-4.12.4_64-3.137.1 xen-libs-4.12.4_64-3.137.1 xen-libs-32bit-4.12.4_64-3.137.1 xen-libs-64bit-4.12.4_64-3.137.1 xen-tools-4.12.4_64-3.137.1 xen-tools-domU-4.12.4_64-3.137.1 xen-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-devel-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-doc-html-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-libs-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-libs-32bit-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-tools-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 xen-tools-domU-4.12.4_64-3.137.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m. CVE-2025-58149 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-devel-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-doc-html-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-32bit-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-tools-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-tools-domU-4.12.4_64-3.137.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260328-1/ https://www.suse.com/security/cve/CVE-2025-58149.html CVE-2025-58149 https://bugzilla.suse.com/1252692 SUSE Bug 1252692 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. CVE-2025-58150 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-devel-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-doc-html-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-32bit-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-tools-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-tools-domU-4.12.4_64-3.137.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260328-1/ https://www.suse.com/security/cve/CVE-2025-58150.html CVE-2025-58150 https://bugzilla.suse.com/1256745 SUSE Bug 1256745 In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. CVE-2026-23553 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-devel-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-doc-html-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-32bit-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-tools-4.12.4_64-3.137.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-tools-domU-4.12.4_64-3.137.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260328-1/ https://www.suse.com/security/cve/CVE-2026-23553.html CVE-2026-23553 https://bugzilla.suse.com/1256747 SUSE Bug 1256747