Photo by FlyD

October 2025 Security and Maintenance Update for XCP-ng 8.3 LTS

Security Oct 23, 2025

New bugfix, enhancement and security updates are available for XCP-ng 8.3 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

This set of updates addresses vulnerabilities in XCP-ng. In addition to this, the updated packages bring improvements and bug fixes which were queued for release.

⚠️
As this update contains vulnerability fixes, it is strongly advised to update your hosts as soon as possible.
Picture of a green shield

🔒Security Updates

Xen

Two vulnerabilities have been discovered, reported and patched by Teddy Astie from Vates in Xen, related to hypercalls in the Viridian feature, which provides Hyper-V-compatible enlightenments for guest VMs. This generally used for Windows VMs and enabled by default when creating VMs from a Windows template or the Other installation media template.

Potential risks include Denial of Service (DoS) impacting the whole host, information exposure, or escalation of privileges.

xen-* packages were updated to address this vulnerability. XCP-ng 8.3 hosts running Xen versions older than 4.17.5-20.2 are affected.

References: VSA-2025-006 - XSA-475 - CVE-2025-58147 - CVE-2025-58148

Intel microcode

Intel issued multiple Security Advisories (INTEL-SA) that are addressed by a new microcode release. 3 of the 6 INTEL-SA covered by this release could impact XCP-ng depending on CPU models.

The intel-microcode package was updated to include this new release. The release number of the updated package is 20250715-1.

⚠️
Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

References: VSA-2025-007 - INTEL-SA-01249 - CVE-2025-20109 - INTEL-SA-01308 - CVE-2025-22840 - INTEL-SA-01310 - CVE-2025-22839

libtpms

The libtpms library in XCP-ng is affected by a vulnerability which could allow a userland process in a VM with vTPM module enabled to trigger a crash of the TPM via out-of-bounds reads, effectively making the vTPM unavailable. It cannot affect the host or other VMs.

The libtpms package was updated to address this. The release number of the updated package is 0.9.6-3.

References: VSA-2025-004 - CVE-2025-49133

XCP-ng Signed Windows Guest Tools Available

After a several years long process, we are finally able to sign our own version of the guest tools for Windows VMs. These tools are now the recommended by default VM tools for Windows in XCP-ng. XenServer's guest tools are also still supported for the foreseeable future, but we now recommend installing XCP-ng's tools.

Learn more about this story - and where to download the latest tools from - here: https://xcp-ng.org/blog/2025/10/10/signed-windows-pv-drivers-now-available/

Another significant change for users is that the XCP-ng Windows Guest Tools are now directly available from the guest tools ISO image, which can be mounted on any VM for easy deployment.

Performance improvements

While XCP-ng’s performance meets the needs of most workloads, we continue to focus on maximizing hardware efficiency as a key development priority.

Here are the changes brought by today's set of updates in this area.

Storage operations performance

Operations on storage repositories were optimized. This work was initially done by our friends at XenServer, and ported to XCP-ng. What exact workloads benefit from it is not known. However, during pre-release testing, we have really positive feedback from users. Let us know if it improved performance for you!

Best effort NUMA placement

On modern hardware, where data is stored in RAM, the relationship between data location and the CPU cores that access it is important. NUMA stands for Non-Uniform Memory Access.

This feature is not enabled by default at the moment. When enabled, XAPI will try to allocate a single NUMA node when creating VMs. This is a best-effort strategy, meaning it may sometimes fail, causing all nodes to be used instead (not worse performance than before, but not better either), especially when many VMs are started or migrated simultaneously.

You can enable it per host by running the following command:

xe host-param-set numa-affinity-policy=best_effort uuid=$HOST_UUID

Once enabled, new VMs should be allocated to single NUMA nodes. To verify that it works, (re)start a VM that can fit within a single NUMA memory node, run xl debug-keys u on dom0, and then check the output using xl dmesg.
The last lines of the output show which NUMA nodes each domain (VM) has memory allocated on. You should see that the restarted domain (typically the one with the highest domain number) has multiple nodes listed, but all except one should show a value of 0.

In the best case, this can yield up to a 10% performance improvement for compute-intensive workloads. We’d love to hear how it works for you!

This feature was initially developped by XenServer developers in the Open Source XAPI project, then integrated into to XCP-ng.

Other performance improvements

  • Improve the speed of linstor commands in the context of XOSTOR storage (in particular, the scan command).
  • Host evacuation was parallelized further, so that the migrating flow of VMs is maintained, avoiding bottlenecks.
  • Other optimizations here and there.

Guest UEFI Secure Boot Certificates

We now provide the latest Secure Boot certificates from Microsoft by default.

Until this update, to enable Secure Boot for virtual machines, you first had to set up your pool for it. It was an easy task, spontaneously offered by Xen Orchestra and well documented, but it nonetheless remained a manual step (and was more difficult when the host could not download from the Internet).

This changes today: we found a way to legally provide the required certificates directly with the XCP-ng system, which means that Guest Secure Boot now works out of the box. Additionally, this will allow support for Secure Boot with future Windows media that no longer use the expired 2011 certificates deployed by the previous process.

For existing setups where Guest Secure Boot is already in use, you will have to choose between continuing to use the certificates you deployed via our previous method or reverting to our defaults. Both options will work well, but reverting to our defaults will give you the latest certificates and allow you to receive future updates automatically through XCP-ng system updates.

In any case, the certificates on the pool only affect new VM deployments from templates that do not already embed UEFI certificates. For existing VMs, which already have their own copy of the certificates, nothing changes.

Read more about it at: https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/

New OpenFlow Rules backend - BETA

Context: Xen Orchestra's SDN Controller plugin allows two things:

  • Creation of Private Networks using GRE or VXLAN to create Layer 3 overlay networks that can be cross pool and cross datacenter, as long as there is IP communication between your hosts.
  • Adding OpenFlow rules to restrict or better control the traffic based to and from a VM interface (VIF).

The previous implementation of the OpenFlow rules was limited:

  • Rules could only be applied to a VIF
  • That VIF needed to be on the management network, without support for VLANs or bonds. That was caused by the direct communication to Open vSwitch through the OpenFlow protocol, and a limitation on how we expose this inside XCP-ng.

The new implementation circumvents this limitation thanks to a new XAPI plugin that we developed to handlethe creation of the rules locally on the hosts. This allows support for per VIF and network-wide rules, and works on any network including VLANS or private networks, regardless of whether the underlying network is a physical NIC or a bond.

Currently, the new OpenFlow rules backend is in BETA and needs to be manually enabled for Xen Orchestra to use it. To do so, please follow these steps:

  • Make sure your XOA is running a least version 5.111.0 (only in the `latest` release channel at the time of this publication).
  • Configure XOA to disable the use of the direct channel.
  • Using the existing UI, you can create per VIF rules.
  • Read the documentation to see how to create rules using xo-cli, including per-VIF and network-wide rules.
  • Alternatively, you can manually create rules on your hosts through the xe command, as explained in XCP-ng documentation.

🪲 Others bugfixes and improvements

Various improvements and bugfixes were implemented by XenServer developers and XCP-ng developers, thanks to the open source nature of the Xen Project, of many components that make XenServer, and of the whole of XCP-ng itself.

Notable Improvements

  • Xen Orchestra Lite (XO Lite) updated to 0.15.0.
  • New HA option to avoid rebooting VMs on internal shutdown: https://docs.xcp-ng.org/management/ha/#halting-the-vm
  • Guest templates for Almalinux 10, Red Hat Enterprise Linux 10, Rocky Linux 10, Oracle Linux 10, Debian 13
  • Enhance support for Intel Granite Rapids systems
  • Support for 50G/100G/200G link modes in ethtool for Mellanox network devices
  • Allow SHA-512 in host certificates.
  • Report additional CPU metrics.
    Storage migration reworked:

Notable Bug Fixes

  • Fix crashes on VMs having the Windows Server 2025 September update and emulated NVMe controllers (that is, not using the PV drivers for XCP-ng)
  • Bug fixes and resiliency improvements related to XOSTOR storage, including an important fix for a memory leak in the DRBD kernel module, and other fixes in LINSTOR itself.
  • VM Network booting from VM
  • VLAN tag support for network-booting VMs
  • Driver qla2xxx (QLogic) updated to version 10.02.13.00_k. Bug fixes only.
  • Consoles are now started for PVH guests => a step towards supporting PVH virtualization mode in the future.
  • Stop ballooning down memory on localhost migration => VDI migration to another SR no longer fails because of unrelated memory configuration.
  • Better error reporting for other_operation_in_progress => now describing what operation was blocking another one.
  • Avoid trying to suspend a VM which doesn't support it, thus preventing a VM crash.
  • Fix an issue that disabled CBT unnecessarily on VDIs on shared SRs during VM live migration. This will also allow to live migrate such VMs during a rolling pool update.
  • Message.get_all_records_where now properly evaluates the query. This will be leveraged by Xen Orchestra to get some information from XAPI faster (by fetching smaller amounts of items).
  • Fix issues with emergency network reset on IPv6 hosts
  • Fix PCI passthrough on some systems

And a lot of various other fixes and internal improvements.

🔗 Alternate driver updates

Alternate drivers are provided as a way to get newer drivers for some hardware, without incurring the risk of updating these drivers on systems that work perfectly with the current version.

See https://docs.xcp-ng.org/installation/hardware/#-alternate-drivers

  • intel-ice-alt: Update to version 1.17.2

Tags

Samuel Verschelde

Along with Gaël Duperrey, David Morel

XCP-ng Lead Maintainer, Release Manager and Technical Product Manager. Open Source enthusiast since 2002.

Recommended for you