VSA-2025-006: XSA-475 - Xen Vulnerabilities
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2025-10-21 | 2025-10-23 | ⚫ Critical | Not available yet | - XCP-ng 8.3 |
An XSA and associated CVEs were published. For Vates products, we classify the impact as Critical, as our LTS products are directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary
The Xen project recently disclosed multiple vulnerabilities affecting various versions of the Xen hypervisor. These vulnerabilities could potentially allow for privilege escalation, denial of service, or information disclosure.
Impact
Xen
All hosts running VM using viridian features enabled are vulnerable. These settings are enabled by default on VMs based on Windows templates.
Affected Versions
- XCP-ng 8.3 LTS: Fixed.
Mitigation
Xen
Not enabling Viridian will avoid the issues. You can disable it if not needed while waiting for a fix
Resolution
As of 2025-10-23, the packages for these components have been updated in the official XCP-ng repositories. Users are strongly encouraged to update their systems as soon as possible.
List of packages fixing these issues:
- XCP-ng 8.3:
xen-4.17.5-20.2.xcpng8.3
Credits
This issue was discovered, reported and patched by Teddy Astie of Vates. Thanks to the Xen Project for handling of the disclosure and integration of the patches.