September 2025 Security Update for XCP-ng 8.3 LTS
New security updates are available for XCP-ng 8.3 LTS addressing the vulnerabilities described in Vates Security Advisory VSA-2025-002.
Host reboots are necessary after this update.
📋Summary
This update primarily brings security patches described below.
🔒Security Updates
XAPI
Buggy or malicious inputs to XAPI (coming either from an authenticated XAPI user or from privileged code inside a guest) can cause a Denial of Service on the host due to incompatibilities in UTF-8 handling.
References: XSA-474, CVE-2025-58146
Xen
Multiple vulnerabilities were discovered in Xen's Viridian feature, which provides Hyper-V-compatible enlightenments for guest VMs, especially Windows.
These vulnerabilities could be used by guest VMs to hang, crash or compromise the host.
Affected components
XCP-ng 8.3 hosts running Xen versions older than 4.17.5-15.3 are affected.
These vulnerabilities are reachable from guest VMs with the viridian_reference_tsc or viridian_stimer platform features enabled. These settings are enabled by default on VMs based on Windows templates.
Fix
Update Xen to version 4.17.5-15.3 or later.
A workaround is available for those who can't patch: Not enabling the reference_tsc and stimer viridian extensions will avoid the issues.
For all VMs with Viridian enabled:
xe vm-param-set uuid=<vm uuid> platform:viridian_reference_tsc=false
xe vm-param-set uuid=<vm uuid> platform:viridian_stimer=false
You will then need to reboot the affected VM.
References: XSA-472, CVE-2025-27466, CVE-2025-58142, CVE-2025-58143
