Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog
Консоль
Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog

exploitDog

suse-cvrf Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

SUSE-SU-2026:0328-1

ΠžΠΏΡƒΠ±Π»ΠΈΠΊΠΎΠ²Π°Π½ΠΎ: 28 янв. 2026
Π˜ΡΡ‚ΠΎΡ‡Π½ΠΈΠΊ: suse-cvrf

ОписаниС

Security update for xen

This update for xen fixes the following issues:

Security fixes:

  • CVE-2025-58150: Fixed buffer overrun with shadow paging and tracing (XSA-477) (bsc#1256745)
  • CVE-2026-23553: Fixed incomplete IBPB for vCPU isolation (XSA-479) (bsc#1256747)
  • CVE-2025-58149: Fixed incorrect removal od permissions on PCI device unplug allow PV guests to access memory of devices no longer assigned to it (XSA-476) (bsc#1252692)

Бписок ΠΏΠ°ΠΊΠ΅Ρ‚ΠΎΠ²

SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
xen-4.12.4_64-3.137.1
xen-devel-4.12.4_64-3.137.1
xen-doc-html-4.12.4_64-3.137.1
xen-libs-4.12.4_64-3.137.1
xen-libs-32bit-4.12.4_64-3.137.1
xen-tools-4.12.4_64-3.137.1
xen-tools-domU-4.12.4_64-3.137.1

Бсылки

ОписаниС

When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.

Π—Π°Ρ‚Ρ€ΠΎΠ½ΡƒΡ‚Ρ‹Π΅ ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚Ρ‹
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-devel-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-doc-html-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-32bit-4.12.4_64-3.137.1
Бсылки

ОписаниС

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.

Π—Π°Ρ‚Ρ€ΠΎΠ½ΡƒΡ‚Ρ‹Π΅ ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚Ρ‹
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-devel-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-doc-html-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-32bit-4.12.4_64-3.137.1
Бсылки

ОписаниС

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Π—Π°Ρ‚Ρ€ΠΎΠ½ΡƒΡ‚Ρ‹Π΅ ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚Ρ‹
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-devel-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-doc-html-4.12.4_64-3.137.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:xen-libs-32bit-4.12.4_64-3.137.1
Бсылки
Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ SUSE-SU-2026:0328-1