September 2025 Security Update for XCP-ng 8.2 LTS

New security updates are available for XCP-ng 8.2 LTS addressing the vulnerabilities described in Vates Security Advisory VSA-2025-002.

📋Summary

This update primarily brings a security patch described below.

🔒Security Updates

Xen

Multiple vulnerabilities were discovered in Xen's Viridian feature, which provides Microsoft Hyper-V-compatible enlightenments for guest VMs, especially Windows.

These vulnerabilities could be used by guest VMs to hang or crash the host.

Description

Multiple vulnerabilities were discovered in Xen's Viridian feature, which provides Microsoft Hyper-V-compatible enlightenments for guest VMs, especially Windows.

These vulnerabilities could be used by guest VMs to hang or crash the host.

Affected components

XCP-ng 8.2 hosts running Xen versions older than 4.13.5-9.49.4 are affected.

These vulnerabilities are reachable from guest VMs with the viridian_reference_tsc or viridian_stimer platform features enabled. These settings are enabled by default on VMs based on Windows templates.

Fix

Update Xen to version 4.13.5-9.49.4 or later.

A workaround is available for those who can't patch: Not enabling the reference_tsc and stimer viridian extensions will avoid the issues.

For all VMs with Viridian enabled:

xe vm-param-set uuid=<vm uuid> platform:viridian_reference_tsc=false
xe vm-param-set uuid=<vm uuid> platform:viridian_stimer=false

You will then need to reboot the affected VM.

References: XSA-472, CVE-2025-27466, CVE-2025-58142, CVE-2025-58143

Remark

Another XSA (474) was released the same day as XSA-472, but regarding XAPI. Since the attack vector differs and is not easily exploitable in 8.2, we have not released a patch for it, unlike in 8.3.

📢 XCP-ng 8.2 LTS end of support