September 2025 Security Update for XCP-ng 8.2 LTS
New security updates are available for XCP-ng 8.2 LTS addressing the vulnerabilities described in Vates Security Advisory VSA-2025-002.
Host reboots are necessary after this update.
📋Summary
This update primarily brings a security patch described below.
🔒Security Updates
Xen
Multiple vulnerabilities were discovered in Xen's Viridian feature, which provides Microsoft Hyper-V-compatible enlightenments for guest VMs, especially Windows.
These vulnerabilities could be used by guest VMs to hang or crash the host.
Description
Multiple vulnerabilities were discovered in Xen's Viridian feature, which provides Microsoft Hyper-V-compatible enlightenments for guest VMs, especially Windows.
These vulnerabilities could be used by guest VMs to hang or crash the host.
Affected components
XCP-ng 8.2 hosts running Xen versions older than 4.13.5-9.49.4 are affected.
These vulnerabilities are reachable from guest VMs with the viridian_reference_tsc or viridian_stimer platform features enabled. These settings are enabled by default on VMs based on Windows templates.
Fix
Update Xen to version 4.13.5-9.49.4 or later.
A workaround is available for those who can't patch: Not enabling the reference_tsc and stimer viridian extensions will avoid the issues.
For all VMs with Viridian enabled:
xe vm-param-set uuid=<vm uuid> platform:viridian_reference_tsc=false
xe vm-param-set uuid=<vm uuid> platform:viridian_stimer=false
You will then need to reboot the affected VM.
References: XSA-472, CVE-2025-27466, CVE-2025-58142, CVE-2025-58143
Remark
Another XSA (474) was released the same day as XSA-472, but regarding XAPI. Since the attack vector differs and is not easily exploitable in 8.2, we have not released a patch for it, unlike in 8.3.
📢 XCP-ng 8.2 LTS end of support
We therefore strongly encourage you to migrate your pools to XCP-ng 8.3 LTS to continue benefiting from the latest security fixes and improvements.
