VSA-2025-002: Xen and XAPI Vulnerabilities
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2025-09-11 | 2025-09-11 | ⚫ Critical | Not available yet | - XCP-ng 8.2 and 8.3 |
Several XSAs and their associated CVEs were published. For Vates products, we classify the impact as Critical, as our LTS products are directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary
The Xen project recently disclosed multiple vulnerabilities affecting various versions of the Xen hypervisor and XAPI. These vulnerabilities could potentially allow for privilege escalation, denial of service, or information disclosure.
Impact
Xen
All hosts running VM using viridian_reference_tsc or viridian_stimer platform features enabled are vulnerable. These settings are enabled by default on VMs based on Windows templates.
XAPI
All XCP-ng hosts are managed through XAPI and are therefore vulnerable. Incompatibilities in UTF-8 handling can lead to a denial of service of the host from an authenticated XAPI user or from privileged code inside a guest.
Affected Versions
- XCP-ng 8.2 LTS: Affected by the Xen vulnerabilities, deemed unlikely to be exploitable for the XAPI vulnerabilities.
- XCP-ng 8.3 LTS: Affected.
Mitigation
Xen
VMs can be configured to disable the impacting platform features. This can be achieved with these commands:
xe vm-param-set uuid=<vm uuid> platform:viridian_reference_tsc=false
xe vm-param-set uuid=<vm uuid> platform:viridian_stimer=false
XAPI
There are no mitigations.
Resolution
As of 2025-09-11, the packages for these components have been updated in the official XCP-ng repositories. Users are strongly encouraged to update their systems as soon as possible.
List of packages fixing these issues:
- XCP-ng 8.2:
xen-4.13.5-9.49.4.xcpng8.2
- XCP-ng 8.3:
xen-4.17.5-15.3.xcpng8.3xapi-25.6.0-1.12.xcpng8.3
Credits
Thanks to Xen Project and the XAPI team for their work on these vulnerabilities and the patches to fix them.