Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1wMpYl-001fwg-1X@xenbits.xenproject.org>
Date: Tue, 12 May 2026 16:02:15 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 490 v1 (CVE-2025-54518) - x86: CPU Opcode
 Cache corruption

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2025-54518 / XSA-490

                   x86: CPU Opcode Cache corruption

ISSUE DESCRIPTION
=================

AMD have disclosed a potential vulnerability in certain CPUs which can
cause instructions to execute at a higher privilege.

For more information, see:
  https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html

IMPACT
======

Code of any privilege could escalate to a higher privilege, including
userspace to kernel, and guest to host.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only AMD Fam17h CPUs (Zen2 microarchitecture) are believed to be
vulnerable.  Other AMD CPUs and CPUs from other manufacturers are not
known to be affected.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

For Xen 4.17, patch 1 is a backport of a change which only went back as
far as 4.18 under normal bugfix rules, but which is tightly texturally
coupled with the XSA-940 fix.  It is possible to rework patch 2 to avoid
patch 1, but a number of Xen-focused downstreams already have patch 1
backported, and those without patch 1 really ought to take it.  So,
while this is slightly abnormal for an XSA, it is believed to be in the
best interest of everyone with a 4.17 based Xen.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa490.patch           xen-unstable
xsa490-4.21.patch      Xen 4.21.x - Xen 4.18.x
xsa490-4.17-?.patch    Xen 4.17.x

$ sha256sum xsa490*
7c256d3384bf640d171ae2f18930c193a72bbdd92ebeb8942e58634dd7b27439  xsa490.patch
4d64d95937630f2147bb69d0d0ff24fc7d97efd48e376d882265662f93886ec7  xsa490-4.17-1.patch
6c717a5bd914088463c74b89893672388848a2222165478aed63b6c2a4151e28  xsa490-4.17-2.patch
1e397550a542bc0957bf93a6e6f01ffcdfe8f005697a505c62ec6120a72d3f90  xsa490-4.21.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmoDTuQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZn38H/2xujQ3YDEsE2U8RiH/6M1yVxnATlCEqEPBxIcVX
h6W4QMzlFw/IXZBi6twduuzMME2uX6eKWCbE9riw2v4lybgNYMxV20oW86LhjLwr
uL1NHJ3Fop1IuRy+po20jmT9sPfpieHU9zGmFvgd/k91gSZ1b/5G8k36MtgODL0j
4Svsdo3LYSvULQn5EymjO/t57ZZIDBWj5Od7aBbPuGkQKtW6+/UCE0JnrzOtP+Di
0Y5bBSUhwrMh0h32AV/w2nwvFQN/EeyakfjDWQc1ST6wHzFMLSo2kaY40TZ6C+T8
RnN646ouPizmiSDu2G/dMrLJ5kc3PFqQvN3JRI4dyf075yg=
=Dclq
-----END PGP SIGNATURE-----

Download attachment "xsa490.patch" of type "application/octet-stream" (1240 bytes)

Download attachment "xsa490-4.17-1.patch" of type "application/octet-stream" (15070 bytes)

Download attachment "xsa490-4.17-2.patch" of type "application/octet-stream" (1231 bytes)

Download attachment "xsa490-4.21.patch" of type "application/octet-stream" (1231 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.