Alpine: multiple xen packages: security update to 4.20.2-r1

high Tenable Self-Hosted Container Security Plugin ID 437350

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of
these variables are written to with guest controlled data, of guest controllable size. That size can be
larger than the variable, and bounding of the writes was missing. (CVE-2025-58150)

- In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which
it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest
kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves
to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2,
issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task
1's training still in the BTB. (CVE-2026-23553)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-58150

https://security.alpinelinux.org/vuln/CVE-2026-23553

Plugin Details

Severity: High

ID: 437350

Version: Revision 1.6

Type: Local

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-58150

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/10/2025

Reference Information

CVE: CVE-2025-58150, CVE-2026-23553

IAVB: 2025-B-0113