Cyber Posture

CVE-2025-58150

High

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
27 January 2026
CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0002 4.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58150 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Xen Xen. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Escape to Host (T1611) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation and bounding of guest-controlled data sizes before writing to per-CPU variables, directly preventing the out-of-bounds write in shadow mode tracing code.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms that mitigate exploitation of out-of-bounds writes corrupting hypervisor per-CPU variables from guest domains.

SI-2 Flaw Remediation good match
prevent

Mandates timely patching of the specific Xen hypervisor flaw as detailed in Xen Security Advisory 477 to remediate the missing bounds checking.

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Out-of-bounds write in Xen hypervisor shadow tracing enables guest-to-host escape via direct exploitation of virtualization layer, matching Escape to Host and Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding…

more

of the writes was missing.

Deeper analysisAI

CVE-2025-58150 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) classified as CWE-787 (Out-of-bounds Write) affecting the Xen hypervisor. The flaw resides in the shadow mode tracing code, which relies on per-CPU variables to minimize parameter passing overhead. These variables can be overwritten with guest-controlled data using a guest-controllable size that exceeds the variable's bounds, as the code lacks proper write bounding.

A local attacker with low privileges (PR:L), such as within a guest domain, can exploit this vulnerability with low attack complexity and no user interaction required. The changed scope (S:C) enables escalation to impact the host, achieving high confidentiality, integrity, and availability effects through the out-of-bounds write.

Xen Security Advisory 477 details mitigations and patches, available at https://xenbits.xenproject.org/xsa/advisory-477.html and http://xenbits.xen.org/xsa/advisory-477.html, along with related announcements such as http://www.openwall.com/lists/oss-security/2026/01/27/1.

Details

CWE(s)
CWE-787

Affected Products

xen
xen
all versions

CVEs Like This One

CVE-2026-23554Same product: Xen Xen
CVE-2026-23555Same product: Xen Xen
CVE-2025-20890Shared CWE-787
CVE-2025-20888Shared CWE-787
CVE-2026-0117Shared CWE-787
CVE-2024-53833Shared CWE-787
CVE-2026-0010Shared CWE-787
CVE-2026-31743Shared CWE-787
CVE-2025-22225Shared CWE-787
CVE-2025-47373Shared CWE-787

References