XAPI varstored UEFI Variable TOCTOU Vulnerability
varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table.
Quick answer
Xen Project XAPI varstored should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Affected XAPI varstored versions according to XSA-478
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
XAPI varstored is affected by TOCTOU issues involving UEFI variable handling through OVMF shared buffers. Apply the vendor update for XSA-478 and review VM configurations that use UEFI firmware. Because exploitation depends on VM-controlled data, prioritize untrusted tenant VMs and hosts running affected XAPI toolstack components.
- Inventory XAPI-based hosts and identify VMs using UEFI firmware and varstored.
- Apply the XenServer, XCP-ng, Citrix Hypervisor, or vendor update for XSA-478 covering CVE-2025-58151.
- Restrict untrusted VM creation or UEFI variable operations until patched hosts are verified.
- Review host logs, varstored logs, VM crash data, and unusual UEFI variable behavior for exploitation indicators.
- Migrate or reboot VMs according to vendor guidance so patched toolstack components are active.
- Rotate host and pool administrator credentials if guest-to-host compromise is suspected.
- Rebuild or isolate hosts where varstored integrity cannot be verified.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the platform update for XSA-478 and CVE-2025-58151 is installed on all hosts.
- Validate UEFI VMs boot and manage variables correctly after remediation.
- Review varstored and host telemetry for suspicious shared-buffer behavior or crashes.
- Test VM lifecycle, migration, snapshot, and UEFI boot workflows after the update.
- Run a Fixnx scan and confirm no public hypervisor management interface is exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2025-58151?
Xen Project XAPI varstored versions listed as affected should be reviewed: Affected XAPI varstored versions according to XSA-478.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
