VSA-2025-007: Intel microcode update
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2025-10-23 | 2025-10-23 | 🔴 Important | 7.3, 5.3 and 7.3 | - XCP-ng 8.3 |
Several CVEs with high upstream scores were published by Intel. For Vates products, we classify the impact as Important, since some of these issues are directly impacting XCP-ng. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
An update to Intel Microcode repository was published, including 6 CVEs, including 3 of them that could impact XCP-ng.
Impact​
Hosts running on some Intel CPUs are affected by potential privilege escalation vulnerabilities. To find out more about affected processors models, see the Intel Security Advisories linked in References.
- INTEL-SA-01249 / CVE-2025-20109 -- Improper isolation of stream cache mechanism could lead to privilege escalation on some Intel processors.
- INTEL-SA-01308 / CVE-2025-22840 -- Some sequences of processors instruction could lead to potential privilege escalation on some Intel Xeon 6 Scalable processors.
- INTEL-SA-01310 / CVE-2025-22839 -- Insufficient granularity of access control in the OOB-MSM can lead to privilege escalation via adjacent access in some Intel Xeon 6 Scalable processors. OOM-MSM is used formanagement, monitoring, telemetry.
The others Intel Security Advisories do not impact XCP-ng as they are targeting SGX and TDX which are not supported.
Affected Versions​
- XCP-ng 8.3 LTS: Fixed.
Mitigation​
As far as we know, there is no mitigations for the CVES impacting XCP-ng.
Regarding the SGX and TDX vulnerabilities, although they do not impact XCP-ng, it is still possible to disable SGX and TDX features in your hosts BIOS if you prefer to do so.
Resolution​
Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs. Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.
Update your machines firmware, or update intel-microcode package to version at least 20250715-1.xcpng8.3.