Skip to main content

varstored CVE-2025-58151

| EUVDEUVD-2025-210447 CRITICAL
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-07-09 XEN GHSA-78gx-8v3c-jqwc
9.4
CVSS 4.0 · Vendor: XEN
Share

Severity by source

Vendor (XEN) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Attacker runs in a co-resident UEFI guest (AV:L); winning a compiler-dependent TOCTOU race warrants AC:H; guest-to-dom0 escape is a scope change (S:C) with full host impact.

3.1 AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (XEN).

CVSS VectorVendor: XEN

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 16:28 vuln.today

DescriptionCVE.org

varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF.

Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer.

The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table.

AnalysisAI

Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.

Technical ContextAI

varstored runs in the control domain (dom0) as part of the Xapi toolstack and emulates UEFI variable storage for guests. It communicates with OVMF (the UEFI firmware) inside the VM through a memory buffer that OVMF prepares and varstored maps. Because varstored lacked sufficient compiler barriers when reading this shared region, the compiler was free to reorder or re-read fields, so validated values could change between the check and the use - the classic TOCTOU pattern of CWE-367 (Time-of-check Time-of-use Race Condition). The concrete impact is compiler-dependent: in a build with default settings, the generated code allowed a guest-controlled value to reach an index used in a jump table, turning a data race into control-flow influence. The single affected product per the CPE is cpe:2.3:a:xen:varstored (all versions until patched).

RemediationAI

Apply the varstored fix distributed through Xen Security Advisory XSA-478 (https://xenbits.xen.org/xsa/advisory-478.html) - the advisory carries the patch and the exact fixed builds; a released patched version number is not independently confirmed here, so use the version referenced in XSA-478 for your distribution (XenServer/Citrix Hypervisor/XCP-ng packages). Until patched, the most direct compensating control is to avoid running untrusted guests with UEFI firmware: configure sensitive workloads to boot via the legacy BIOS/hvmloader path rather than OVMF so the varstored communication buffer is not exercised, accepting that UEFI-dependent guests (Secure Boot, some modern OS installs) cannot use this mode. Additionally, restrict which tenants can launch UEFI VMs and keep guest workloads you do not fully trust off hosts that also run UEFI guests, since the attack originates from within a guest. Coordinate timing using the oss-security notice (http://www.openwall.com/lists/oss-security/2026/01/27/2).

Share

CVE-2025-58151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy