Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker runs in a co-resident UEFI guest (AV:L); winning a compiler-dependent TOCTOU race warrants AC:H; guest-to-dom0 escape is a scope change (S:C) with full host impact.
Primary rating from Vendor (XEN).
CVSS VectorVendor: XEN
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF.
Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer.
The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table.
AnalysisAI
Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.
Technical ContextAI
varstored runs in the control domain (dom0) as part of the Xapi toolstack and emulates UEFI variable storage for guests. It communicates with OVMF (the UEFI firmware) inside the VM through a memory buffer that OVMF prepares and varstored maps. Because varstored lacked sufficient compiler barriers when reading this shared region, the compiler was free to reorder or re-read fields, so validated values could change between the check and the use - the classic TOCTOU pattern of CWE-367 (Time-of-check Time-of-use Race Condition). The concrete impact is compiler-dependent: in a build with default settings, the generated code allowed a guest-controlled value to reach an index used in a jump table, turning a data race into control-flow influence. The single affected product per the CPE is cpe:2.3:a:xen:varstored (all versions until patched).
RemediationAI
Apply the varstored fix distributed through Xen Security Advisory XSA-478 (https://xenbits.xen.org/xsa/advisory-478.html) - the advisory carries the patch and the exact fixed builds; a released patched version number is not independently confirmed here, so use the version referenced in XSA-478 for your distribution (XenServer/Citrix Hypervisor/XCP-ng packages). Until patched, the most direct compensating control is to avoid running untrusted guests with UEFI firmware: configure sensitive workloads to boot via the legacy BIOS/hvmloader path rather than OVMF so the varstored communication buffer is not exercised, accepting that UEFI-dependent guests (Secure Boot, some modern OS installs) cannot use this mode. Additionally, restrict which tenants can launch UEFI VMs and keep guest workloads you do not fully trust off hosts that also run UEFI guests, since the attack originates from within a guest. Coordinate timing using the oss-security notice (http://www.openwall.com/lists/oss-security/2026/01/27/2).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210447
GHSA-78gx-8v3c-jqwc