Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1wDma4-007har-1n@xenbits.xenproject.org>
Date: Fri, 17 Apr 2026 17:02:12 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 488 v1 - x86: Floating Point Divider State
 Sampling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-488

              x86: Floating Point Divider State Sampling

ISSUE DESCRIPTION
=================

Researchers from the CISPA Helmholtz Center for Information Security have
discovered Floating Point Divider State Sampling.  It is detailed in a paper
titled "TREVEX: A Black-Box Detection Framework For Data-Flow Transient
Execution Vulnerabilities"

For more information, see:
  https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html
  https://roots.ec/blog/fpdss/

IMPACT
======

An attacker might be able to infer data belonging to other contexts,
including data belonging to other guests.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only AMD Fam17h CPUs (Zen1 microarchitecture) are believed to be
vulnerable.  Other AMD CPUs and CPUs from other manufacturers are not
known to be affected.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa488.patch           xen-unstable - Xen 4.21.x
xsa488-4.20.patch      Xen 4.20.x - Xen 4.19.x
xsa488-4.18.patch      Xen 4.18.x
xsa488-4.17.patch      Xen 4.17.x

$ sha256sum xsa488*
3dde61413eb75cb65fbd20b58165f673f9f4610804ec532ff0bf3c3f469454c1  xsa488.patch
7822abb0ed5a5f8e2b8697db41d46e030fd69bf8ca8cb965022484b287d9ea26  xsa488-4.17.patch
6668f9d1433863522b8554dc324f57efcfcf3e00c9261c0ee5c2db17f63bccd6  xsa488-4.18.patch
275c35d05951c4583056904869183972b9699549f0ec59f946faa92d5cef4b21  xsa488-4.20.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnhBsUMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZR90IAJ4bu4Ig/J4NOiTOPysLApkrzjyqrrDFqVvsUJe7
UDyll64Yuj4ljj25nDewGDG14EgdMJwqsWqM9gKl07eTzKnOxzzlsymyvX8BxiMt
F7hlcsc2WW96jE2FMNpNUjoBTORQ6u+rYsG1J7Kv85PdM4KHivrXzXRswTQlGWBU
d3VFnyQYE6jIGNGz1WXgA0/CxkdkTUAC0iN0NB6PSlurfkGCDqJEE3/LrTGWUEhI
T30jEc4cCjfukI4YtrCiecCKtSUvzdiRZ+5ZLYrzOYePBOmGOXrxlFfHt4zE6mK0
J9IzVS5BJJVhXjQWZyoZdDgFKMlk6rTQy73hWyPNFyBUiY4=
=xsxg
-----END PGP SIGNATURE-----

Download attachment "xsa488.patch" of type "application/octet-stream" (2380 bytes)

Download attachment "xsa488-4.17.patch" of type "application/octet-stream" (2357 bytes)

Download attachment "xsa488-4.18.patch" of type "application/octet-stream" (2339 bytes)

Download attachment "xsa488-4.20.patch" of type "application/octet-stream" (2389 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.