Alpine: multiple xen packages: security update to 4.20.1-r0

medium Tenable Cloud Security Plugin ID 428358

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A transient execution vulnerability in some AMD processors may allow an attacker to infer data from
previous stores, potentially resulting in the leakage of privileged information. (CVE-2024-36350)

- A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D
cache, potentially resulting in the leakage of sensitive information across privileged boundaries.
(CVE-2024-36357)

- Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by
replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be
handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes
to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata
for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating
it as fatal instead. (CVE-2025-27465)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-36350

https://security.alpinelinux.org/vuln/CVE-2024-36357

https://security.alpinelinux.org/vuln/CVE-2025-27465

Plugin Details

Severity: Medium

ID: 428358

Version: Revision 1.8

Type: Local

Published: 7/11/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

Percentile: 96.43

CVSS v2

Risk Factor: Low

Base Score: 3.8

Temporal Score: 2.8

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2024-36357

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.9

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2024-36350, CVE-2024-36357, CVE-2025-27465

IAVB: 2025-B-0113