Skip to main content

Xen PV Drivers CVE-2025-27463

| EUVDEUVD-2025-210444 CRITICAL
Incorrect Default Permissions (CWE-276)
2026-07-09 XEN GHSA-j273-68h8-x289
Critical
Disputed · 9.4 Vendor: XEN
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (XEN) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Requires an existing local user session so PR:L, low complexity, and a scope change (S:C) as guest-user access reaches kernel/hypervisor-facing facilities with full CIA impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: XEN

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 16:33 vuln.today
CVE Published
Jul 09, 2026 - 14:29 cve.org
CRITICAL 9.4

DescriptionCVE.org

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464

AnalysisAI

Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.

Technical ContextAI

Xen Windows PV drivers are paravirtualized device drivers installed inside Windows guest VMs running on the Xen hypervisor, providing high-performance virtual disk, network, and management interfaces between the guest and host. XenIface specifically is the interface/management driver that brokers communication between userspace tooling and the hypervisor via the Xen store and shared facilities. The root cause is CWE-276 (Incorrect Default Permissions): the driver creates its device object (interface exposed to userspace) without attaching a security descriptor/ACL, so the Windows object manager applies overly permissive default access, allowing any authenticated non-administrative user to open and issue IOCTLs to a driver that operates at kernel/SYSTEM privilege. Affected component per CPE is cpe:2.3:a:xen:windows_pv_drivers.

RemediationAI

Apply the fixed Xen Windows PV driver packages published under Xen Security Advisory XSA-468 (https://xenbits.xen.org/xsa/advisory-468.html), which add proper security descriptors restricting the XenIface, XenCons, and XenBus device interfaces to privileged callers; exact patched version strings are not provided in this intelligence set and must be read from the advisory. No vendor-released patch version is independently confirmed here beyond the advisory reference. As a compensating control until drivers are updated, restrict interactive and remote logon on affected Windows guests to trusted administrators only (this defect requires a local user session, so limiting who can run code in the guest directly reduces exposure), and where operationally acceptable tighten the driver device object ACLs or remove/disable unused PV facilities - with the trade-off that disabling PV management interfaces can degrade guest tooling, monitoring, and performance features. Prioritize patching guests that permit untrusted or multi-tenant local users.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Micro 5.3 Not-Affected
SUSE Linux Enterprise Micro 5.4 Not-Affected
SUSE Linux Enterprise Micro 5.5 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP4 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Not-Affected

Share

CVE-2025-27463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy