December 2025 Security and Maintenance Updates for XCP-ng 8.3 LTS

Samuel Verschelde -

New security and maintenance updates are available for XCP-ng 8.3 LTS.

📔
To update, follow this guide. You can also join the discussion on our community forum.
Host reboots are necessary after this update.

📋Summary

This set of updates addresses vulnerabilities in AMD Zen 5 CPUs. In addition to this, the updated packages bring improvements and bug fixes which were queued for release.

⚠️
Some of the updates published today require action on your side to fully benefit from the improvements and prepare for the future.

🔒Security Updates

AMD microcode

AMD published the Security Bulletin AMD-SB_7055 and the associated CVE-2025-62626 regarding insufficient entropy when using RDSEED in 16 or 32 bits on some AMD Zen 5 processors, the 64 bits variant being unaffected. The issue is for these instructions to generate zeros more often than expected, and not reporting it as an error. This could lead to more predictable random number generation, and therefore weaken the security of software using it, especially cryptography layers. According to our analysis, on Xen side, the 16 and 32 bits variants are not used and the impact was considered low, hence the slightly delayed publication. Updates were made to the upstream microcodes to fix the issue in a set of processors.

Refer to the Security Bulletin to see the list of impacted processors and the ones that are included in the updated microcode.

⚠️
The following microcode update requires a firmware version supporting the Entrysign fix described in AMD-SB-7033, make sure to check your vendor firmwares and currently installed version before updating.

The amd-microcode package was updated to the version 20251203-1.1 to include the available fixes. The microcode format has evolved and requires the latest xen-* packages update to be properly loaded, see below.

Reference: VSA-009

⚠️
Updated firmware is provided as a convenience to help mitigate hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

Xen

One vulnerability was discovered by Jiqian Chen of AMD and published under the XSA-476 and its associated CVE-2025-58149. This vulnerability relates to PCI passthrough hotplug which is an unssupported feature, therefore considered low priority for XCP-ng. The fix was still integrated as a defense-in-depth measure. When detaching a passed through PCI device, the logic would not remove access permission of the PCI BARs memory. This could allow a domain to access to PCI device memory that is not supposed to be mapped to it anymore allowing access to data of another guest if the device was to remapped.

That update also includes the ability to load the new microcode format using multiple blobs per CPU, this is mandatory to be able to load the newest amd-microcode package.

xen-* packages were updated to version 4.17.5-23.1, which includes the fix for this vulnerability, the capability to load the newest amd-microcode as well as other fixes and improvements.

Reference: VSA-008

Guest UEFI Secure Boot Certificates

We now provide the latest Secure Boot certificates from Microsoft by default.

Until this update, to enable Secure Boot for virtual machines, you first had to set up your pool for it. It was an easy task, spontaneously offered by Xen Orchestra and well documented, but it nonetheless remained a manual step (and was more difficult when the host could not download from the Internet).

This changes today: we found a way to legally provide the required certificates directly with the XCP-ng system, which means that Guest Secure Boot now works out of the box. Additionally, this will allow support for Secure Boot with future Windows media that no longer use the expired 2011 certificates deployed by the previous process.

For existing setups where Guest Secure Boot is already in use, we recommend reverting to our managed defaults for the latest Secure Boot updates direct from XCP-ng. Existing VMs also need to be updated to receive the latest 2023 certificates.

Details and instructions are available in our official documentation: https://docs.xcp-ng.org/guides/guest-UEFI-Secure-Boot/

🔗 Up to 16 virtual network interfaces per VM

The maximum number of VIFs (that's how we name virtual network interfaces, as opposed to PIFs, physical network interfaces) per VM was extended to 16. The previous maximum value was 7.

Please note however that multiplying the number of virtual interfaces may not always be the best way to answer your needs and adds to the management complexity.

💿 Installer with updated Broadcom drivers

We remastered an XCP-ng 8.3 LTS installer with just one change: updated broadcom drivers. There are no other changes.

The drivers on the previous installation ISO were capable of crashing the installer itself when booting on servers that had recent NIC models, such as those sold by Dell.

This installer is going to replace the default one on our download page, but until then, you'll find it at https://mirrors.xcp-ng.org/isos/8.3/xcp-ng-8.3.0-20250606.2.iso (checksums, signature).

🪲 Other bugfixes and improvements

Various improvements were implemented and bugs fixed by XenServer developers and XCP-ng developers, thanks to the open source nature of the Xen Project, of many components that make XenServer, and of the whole of XCP-ng itself.

Notable Improvements

  • Improve performance of resumed or migrated VMs by supporting superpage restoration.
  • Xen Orchestra Lite (XO Lite) updated to 0.17.0.
  • Guest tools: properly detect Red Hat 10 and its derivatives, when installing the Linux guest agent
  • Guest tools: Update Windows Tools to 9.1.100

Notable Bug Fixes

  • Enable passthrough of devices on non-zero PCI segments.
  • Fix detection of the Self Snooping feature on capable Intel CPUs.
  • Address the XSA-476 vulnerability (CVE-2025-58149), low severity on XCP-ng (affects an unsupported feature of Xen)
  • On the storage layer:
    • Changes made by XenServer:
      • Robustify CBT enable/disable calls to prevent errors.
      • Various fixes regarding SCSI commands/functions.
      • Add tolerance in the GC (garbage collection) during leaf coalesce.
      • Improves GC logging and corrects rare race conditions.
    • Changes made by XCP-ng developers:
      • Use serial instead of SCSI ID for SR on USB devices to prevent bad match.
      • Explicit error message during LVM metadata generation when VDI type is missing.
      • Correct and robustify LINSTOR deletion algorithm to manage in-use volumes.
      • Avoid throwing LINSTOR exceptions in case of impossible temporary volume deletion in order to properly terminate higher-level API calls.
      • Prevent XOSTOR operations if LINSTOR versions mismatch on a pool.
  • Fix benign "unary operator expected" error, displayed when connecting from some terminal software.

And various other fixes and internal improvements.

🔗 Alternate driver updates

Alternate drivers are provided as a way to get newer drivers for some hardware, without incurring the risk of updating these drivers on systems that work perfectly with the current version.

See https://docs.xcp-ng.org/installation/hardware/#-alternate-drivers

  • qlogic-netxtreme2-alt: alternate driver for NetXtreme2 updated to version 7.15.24.
  • qlogic-qla2xxx-alt: alternate driver qla2xxx updated to version 10.02.14.01_k.