CVE-2025-58151 PUBLISHED

varstored: TOCTOU issues with mapped guest memory

Assigner: XEN
Reserved: 26.08.2025 Published: 09.07.2026 Updated: 09.07.2026

varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF.

Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer.

The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Product Status

Vendor Xen
Product varstored
Versions Default: unaffected
  • Version all is affected

Credits

  • This issue was discovered by Teddy Astie of Vates. finder

References

Problem Types

  • CWE-367 Time-of-check time-of-use (TOCTOU) race condition CWE

Impacts

  • CAPEC-233 Privilege Escalation