CVE-2020-25604: 
NixOS vulnerability analysis and mitigation

CVE-2020-25604 is a race condition vulnerability discovered in Xen through version 4.14.x, disclosed on September 22, 2020. The vulnerability affects the timer migration process between x86 HVM vCPUs, where the locking model allows a second vCPU of the same guest to release a lock it didn't acquire. This vulnerability specifically impacts x86 systems running HVM guests with more than one vCPU, while Arm systems and x86 PV/PVH configurations are not affected (Xen Advisory).

The vulnerability stems from a synchronization issue in the timer migration mechanism between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the implemented locking model contains a flaw that permits improper lock handling. The CVSS v3.1 base score is 4.7 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and high complexity (NVD).

The primary impact of this vulnerability is a potential Denial of Service (DoS) condition, most likely resulting in a hang or crash of the hypervisor. The vulnerability does not affect data confidentiality or integrity (Xen Advisory, AWS Security).

The primary mitigation is to update to patched versions of Xen. For systems unable to update immediately, running only PV and PVH guests will avoid the vulnerability. Multiple Linux distributions have released security updates, including Debian (4.11.4+37-g3263f257ca-1), Fedora, and openSUSE (Debian Advisory, Gentoo Advisory).

AWS acknowledged the vulnerability and confirmed that Nitro-based instances were not affected. They implemented fleet-wide updates to address the vulnerability while noting that it posed no risk to confidentiality or integrity of customer data (AWS Security).