Cyber Resilience

CVE-2025-58150

High

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
27 January 2026
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0013 2.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-58150 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Xen Xen. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-58150 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) classified as CWE-787 (Out-of-bounds Write) affecting the Xen hypervisor. The flaw resides in the shadow mode tracing code, which relies on per-CPU variables to minimize parameter passing overhead. These variables can be overwritten with guest-controlled data using a guest-controllable size that exceeds the variable's bounds, as the code lacks proper write bounding.

A local attacker with low privileges (PR:L), such as within a guest domain, can exploit this vulnerability with low attack complexity and no user interaction required. The changed scope (S:C) enables escalation to impact the host, achieving high confidentiality, integrity, and availability effects through the out-of-bounds write.

Xen Security Advisory 477 details mitigations and patches, available at https://xenbits.xenproject.org/xsa/advisory-477.html and http://xenbits.xen.org/xsa/advisory-477.html, along with related announcements such as http://www.openwall.com/lists/oss-security/2026/01/27/1.

EU & UK References

Vulnerability details

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding…

more

of the writes was missing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Out-of-bounds write in Xen hypervisor shadow tracing enables guest-to-host escape via direct exploitation of virtualization layer, matching Escape to Host and Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23554Same product: Xen Xen
CVE-2026-23555Same product: Xen Xen
CVE-2026-23558Same product: Xen Xen
CVE-2026-25259Shared CWE-787
CVE-2016-20044Shared CWE-787
CVE-2026-23326Shared CWE-787
CVE-2024-43077Shared CWE-787
CVE-2024-53697Shared CWE-787
CVE-2025-20890Shared CWE-787
CVE-2026-23073Shared CWE-787

Affected Assets

xen
xen
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and bounding of guest-controlled data sizes before writing to per-CPU variables, directly preventing the out-of-bounds write in shadow mode tracing code.

prevent

Implements memory protection mechanisms that mitigate exploitation of out-of-bounds writes corrupting hypervisor per-CPU variables from guest domains.

prevent

Mandates timely patching of the specific Xen hypervisor flaw as detailed in Xen Security Advisory 477 to remediate the missing bounds checking.

References