Skip to main content

Xen Windows PV Drivers EUVDEUVD-2025-210443

| CVE-2025-27462 CRITICAL
Incorrect Default Permissions (CWE-276)
2026-07-09 XEN GHSA-8q95-g4m7-2crp
Critical
Disputed · 9.4 Vendor: XEN
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (XEN) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Local unprivileged account required so AV:L/PR:L, no user interaction; missing ACL lets escalation cross from the driver into the guest OS (S:C) with full C/I/A loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: XEN

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 16:34 vuln.today
CVE Published
Jul 09, 2026 - 14:27 cve.org
CRITICAL 9.4

DescriptionCVE.org

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]

The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are:

  1. XenCons, CVE-2025-27462
  2. XenIface, CVE-2025-27463
  3. XenBus, CVE-2025-27464

AnalysisAI

Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).

Technical ContextAI

Xen PV (paravirtualized) drivers are installed inside Windows guests running on the Xen hypervisor to provide fast disk, network, console and management channels between the guest and the host/toolstack. The affected interface here, XenCons, is the PV console facility exposed to userspace. The root cause maps to CWE-276 (Incorrect Default Permissions): the device object created by the driver has no security descriptor (DACL) attached, so Windows applies effectively open access and any unprivileged process in the guest can open and interact with a facility that should be restricted to privileged or system callers. The affected CPE is cpe:2.3:a:xen:windows_pv_drivers:*:*:*:*:*:*:*:* - i.e. the Xen-supplied Windows guest driver package, independent of the specific Windows version.

RemediationAI

Apply the corrected Xen Windows PV Drivers from Xen Security Advisory XSA-468 (https://xenbits.xen.org/xsa/advisory-468.html), which adds proper security descriptors to the affected device objects; no exact fixed version string is given in the provided data, so obtain the patched driver build referenced by XSA-468 rather than assuming a version number (Upstream fix available per vendor advisory; released patched version not independently confirmed here). Where immediate patching of a guest is not possible, compensating controls are limited because the exposure is inside the guest: restrict the set of users who can log in interactively or run code on affected Windows guests (reducing the pool of local unprivileged accounts that could abuse XenCons), and treat any multi-user or shell-hosting Windows guest on Xen as higher risk. Because the weakness is a missing ACL on a driver-created object, there is no safe in-guest configuration toggle to remove access without the patch, so prioritize deploying the corrected drivers across all Windows guests, including templates and golden images.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Micro 5.3 Not-Affected
SUSE Linux Enterprise Micro 5.4 Not-Affected
SUSE Linux Enterprise Micro 5.5 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP4 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Not-Affected

Share

EUVD-2025-210443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy