Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Any unprivileged local user can open the ACL-less XenBus interface (AV:L, PR:N, UI:N), and escalation crosses the guest/hypervisor trust boundary with full impact, giving S:C and C/I/A:H.
Primary rating from Vendor (XEN).
CVSS VectorVendor: XEN
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
AnalysisAI
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.
Technical ContextAI
Xen PV drivers are paravirtualized device drivers installed inside a Windows guest running on a Xen-based hypervisor; they replace emulated hardware with fast, direct channels to the Xen backend. XenBus is the core driver that manages the shared 'store' and event/grant plumbing used to connect guest frontends to host backends, so it is a privileged bridge between userspace and the hypervisor boundary. The root cause is CWE-276 (Incorrect Default Permissions): the device objects XenBus (and sibling interfaces XenCons/CVE-2025-27462 and XenIface/CVE-2025-27463) expose to userspace are created without any security descriptor/ACL, so Windows applies overly permissive default access and any unprivileged user can open and issue requests to a channel intended for privileged code. The affected component per CPE is cpe:2.3:a:xen:windows_pv_drivers.
RemediationAI
Patch available per vendor advisory: apply the fixed Windows PV driver builds referenced in Xen Security Advisory XSA-468 (https://xenbits.xen.org/xsa/advisory-468.html), which adds proper security descriptors/ACLs to the exposed device interfaces. Because all three interfaces (XenBus, XenIface, XenCons) share the same incorrect-permissions root cause, update the full PV driver package rather than a single component. Where immediate patching is not possible, compensating controls include limiting who can obtain interactive/local logon on Windows guests (restrict local accounts and RDP to trusted admins), avoiding placing untrusted or multi-tenant workloads on affected guests, and - if operationally acceptable - restricting or tightening access to the affected Xen device objects; note the trade-off that hardening or removing these interfaces can break paravirtualized device functionality and degrade guest performance. No exact fixed version string was supplied in the input, so verify the target build directly against XSA-468 before deployment.
More in Windows Pv Drivers
View allLocal privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is expose
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unpriv
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210445
GHSA-jmgg-9rvf-m69w