CVE-2025-58143: 
NixOS vulnerability analysis and mitigation

A race condition vulnerability was discovered in Xen's viridian implementation during the mapping of the reference TSC page, identified as CVE-2025-58143. The vulnerability affects Xen versions 4.13 and newer, specifically impacting x86 HVM guests with the reference_tsc or stimer viridian extensions enabled. The issue was discovered by Roger Pau Monné of XenServer and was publicly disclosed on September 9, 2025 (Xen Advisory).

The vulnerability involves a race condition in the mapping of the reference TSC page, where a guest can manipulate Xen to free a page while it remains present in the guest physical to machine (p2m) page tables. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (Ubuntu Security).

The exploitation of this vulnerability can lead to multiple severe consequences including denial of service (DoS) affecting the entire host, information leaks, or elevation of privilege. The high CVSS score reflects the critical nature of these potential impacts (Xen Advisory).

As a primary mitigation, administrators can disable the reference_tsc and stimer viridian extensions to avoid the issues. Additionally, patches have been released to resolve the vulnerability, available through the Xen Project security advisory. System administrators are encouraged to update to the tip of the stable branch before applying these patches (Xen Advisory).