September 2025 Security Update for XCP-ng 8.3 LTS

Gaël Duperrey -

New security updates are available for XCP-ng 8.3 LTS addressing the vulnerabilities described in Vates Security Advisory VSA-2025-002.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

This update primarily brings security patches described below.

⚠️
As this is a security update, it is strongly recommended that all users update their hosts.

🔒Security Updates

XAPI

Buggy or malicious inputs to XAPI (coming either from an authenticated XAPI user or from privileged code inside a guest) can cause a Denial of Service on the host due to incompatibilities in UTF-8 handling.

References: XSA-474, CVE-2025-58146

Xen

Multiple vulnerabilities were discovered in Xen's Viridian feature, which provides Hyper-V-compatible enlightenments for guest VMs, especially Windows.

These vulnerabilities could be used by guest VMs to hang, crash or compromise the host.

Affected components

XCP-ng 8.3 hosts running Xen versions older than 4.17.5-15.3 are affected.

These vulnerabilities are reachable from guest VMs with the viridian_reference_tsc or viridian_stimer platform features enabled. These settings are enabled by default on VMs based on Windows templates.

Fix

Update Xen to version 4.17.5-15.3 or later.

A workaround is available for those who can't patch: Not enabling the reference_tsc and stimer viridian extensions will avoid the issues.

For all VMs with Viridian enabled:

xe vm-param-set uuid=<vm uuid> platform:viridian_reference_tsc=false
xe vm-param-set uuid=<vm uuid> platform:viridian_stimer=false

You will then need to reboot the affected VM.

References: XSA-472, CVE-2025-27466, CVE-2025-58142, CVE-2025-58143