criticalCVE-2025-58151

XAPI varstored UEFI Variable TOCTOU Vulnerability

varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table.

ProductXAPI varstored
CVSS9.4
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

Xen Project XAPI varstored should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Affected XAPI varstored versions according to XSA-478

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

XAPI varstored is affected by TOCTOU issues involving UEFI variable handling through OVMF shared buffers. Apply the vendor update for XSA-478 and review VM configurations that use UEFI firmware. Because exploitation depends on VM-controlled data, prioritize untrusted tenant VMs and hosts running affected XAPI toolstack components.

  1. Inventory XAPI-based hosts and identify VMs using UEFI firmware and varstored.
  2. Apply the XenServer, XCP-ng, Citrix Hypervisor, or vendor update for XSA-478 covering CVE-2025-58151.
  3. Restrict untrusted VM creation or UEFI variable operations until patched hosts are verified.
  4. Review host logs, varstored logs, VM crash data, and unusual UEFI variable behavior for exploitation indicators.
  5. Migrate or reboot VMs according to vendor guidance so patched toolstack components are active.
  6. Rotate host and pool administrator credentials if guest-to-host compromise is suspected.
  7. Rebuild or isolate hosts where varstored integrity cannot be verified.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the platform update for XSA-478 and CVE-2025-58151 is installed on all hosts.
  • Validate UEFI VMs boot and manage variables correctly after remediation.
  • Review varstored and host telemetry for suspicious shared-buffer behavior or crashes.
  • Test VM lifecycle, migration, snapshot, and UEFI boot workflows after the update.
  • Run a Fixnx scan and confirm no public hypervisor management interface is exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2025-58151?

Xen Project XAPI varstored versions listed as affected should be reviewed: Affected XAPI varstored versions according to XSA-478.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.