Skip to main content

Xen PV Drivers CVE-2025-27464

| EUVDEUVD-2025-210445 CRITICAL
Incorrect Default Permissions (CWE-276)
2026-07-09 XEN GHSA-jmgg-9rvf-m69w
9.4
CVSS 4.0 · Vendor: XEN
Share

Severity by source

Vendor (XEN) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Any unprivileged local user can open the ACL-less XenBus interface (AV:L, PR:N, UI:N), and escalation crosses the guest/hypervisor trust boundary with full impact, giving S:C and C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (XEN).

CVSS VectorVendor: XEN

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 16:31 vuln.today
CVE Published
Jul 09, 2026 - 14:35 cve.org
CRITICAL 9.4

DescriptionCVE.org

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464

AnalysisAI

Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.

Technical ContextAI

Xen PV drivers are paravirtualized device drivers installed inside a Windows guest running on a Xen-based hypervisor; they replace emulated hardware with fast, direct channels to the Xen backend. XenBus is the core driver that manages the shared 'store' and event/grant plumbing used to connect guest frontends to host backends, so it is a privileged bridge between userspace and the hypervisor boundary. The root cause is CWE-276 (Incorrect Default Permissions): the device objects XenBus (and sibling interfaces XenCons/CVE-2025-27462 and XenIface/CVE-2025-27463) expose to userspace are created without any security descriptor/ACL, so Windows applies overly permissive default access and any unprivileged user can open and issue requests to a channel intended for privileged code. The affected component per CPE is cpe:2.3:a:xen:windows_pv_drivers.

RemediationAI

Patch available per vendor advisory: apply the fixed Windows PV driver builds referenced in Xen Security Advisory XSA-468 (https://xenbits.xen.org/xsa/advisory-468.html), which adds proper security descriptors/ACLs to the exposed device interfaces. Because all three interfaces (XenBus, XenIface, XenCons) share the same incorrect-permissions root cause, update the full PV driver package rather than a single component. Where immediate patching is not possible, compensating controls include limiting who can obtain interactive/local logon on Windows guests (restrict local accounts and RDP to trusted admins), avoiding placing untrusted or multi-tenant workloads on affected guests, and - if operationally acceptable - restricting or tightening access to the affected Xen device objects; note the trade-off that hardening or removing these interfaces can break paravirtualized device functionality and degrade guest performance. No exact fixed version string was supplied in the input, so verify the target build directly against XSA-468 before deployment.

Share

CVE-2025-27464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy