{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-27466","assignerOrgId":"23aa2041-22e1-471f-9209-9b7396fa234f","state":"PUBLISHED","assignerShortName":"XEN","dateReserved":"2025-02-26T09:16:54.462Z","datePublished":"2025-09-11T14:05:29.525Z","dateUpdated":"2025-11-04T21:09:51.419Z"},"containers":{"cna":{"title":"Mutiple vulnerabilities in the Viridian interface","datePublic":"2025-09-09T11:53:00.000Z","descriptions":[{"lang":"en","value":"[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nThere are multiple issues related to the handling and accessing of guest\nmemory pages in the viridian code:\n\n 1. A NULL pointer dereference in the updating of the reference TSC area.\n    This is CVE-2025-27466.\n\n 2. A NULL pointer dereference by assuming the SIM page is mapped when\n    a synthetic timer message has to be delivered.  This is\n    CVE-2025-58142.\n\n 3. A race in the mapping of the reference TSC page, where a guest can\n    get Xen to free a page while still present in the guest physical to\n    machine (p2m) page tables.  This is CVE-2025-58143."}],"impacts":[{"descriptions":[{"lang":"en","value":"Denial of Service (DoS) affecting the entire host, information leaks, or\nelevation of privilege."}]}],"affected":[{"defaultStatus":"unknown","product":"Xen","vendor":"Xen","versions":[{"status":"unknown","version":"consult Xen advisory XSA-472"}]}],"configurations":[{"lang":"en","value":"Xen versions 4.13 and newer are vulnerable.  Xen versions 4.12 and older\nare not vulnerable.\n\nOnly x86 HVM guests which have the reference_tsc or stimer viridian\nextensions enabled are vulnerable."}],"workarounds":[{"lang":"en","value":"Not enabling the reference_tsc and stimer viridian extensions will avoid\nthe issues."}],"credits":[{"lang":"en","type":"finder","value":"This issue was discovered by Roger Pau Monné of XenServer."}],"references":[{"url":"https://xenbits.xenproject.org/xsa/advisory-472.html"}],"providerMetadata":{"orgId":"23aa2041-22e1-471f-9209-9b7396fa234f","shortName":"XEN","dateUpdated":"2025-09-11T14:05:29.525Z"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-395","lang":"en","description":"CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-09-11T14:25:53.637084Z","id":"CVE-2025-27466","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-11T14:40:33.401Z"}},{"title":"CVE Program Container","references":[{"url":"http://xenbits.xen.org/xsa/advisory-472.html"},{"url":"http://www.openwall.com/lists/oss-security/2025/09/09/1"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-04T21:09:51.419Z"}}]}}