The Qubes team just dropped the first candidate for version 4.3.1, packing in essential security patches and upgrading the default Fedora template to forty three since the older release already hit end of life. Testing this build properly means running a clean install rather than an in place upgrade, which actually exercises the installer routines that often hide stubborn bugs. Users restoring older backups should watch for a known quirk where templates might still point at outdated repository mirrors until they manually update their sources. If testers keep things stable over the next couple of weeks, expect the official release to drop before long.
Qubes OS released an advisory warning that a specific Intel processor flaw might let attackers extract information from isolated virtual environments on affected hardware. Official documentation from Intel remains incomplete, which forces security analysts to guess how badly cross qube data leaks could impact actual users. System owners simply need to wait for the community validated microcode updates to move into stable repositories before running a standard update cycle.
QSB-114: Intel CPU data exposure vulnerability
QSB-114: Intel CPU data exposure vulnerability
Qubes OS released Security Bulletin 113 to patch XSA-490, a processor flaw in AMD Zen 2 chips that could allow malicious code to escape virtual machine sandboxes and gain full kernel privileges. Only systems running that specific microarchitecture face this risk since Intel CPUs and other AMD designs remain completely unaffected. You can fix the problem by installing the updated Xen packages through the normal Qubes Update interface followed by a full system restart in dom0. People using Anti Evil Maid should remember to reseal their secret passphrase because the underlying security measurements will change once the new binaries take over.
QSB-113: AMD CPU Opcode Cache corruption (XSA-490)
QSB-113: AMD CPU Opcode Cache corruption (XSA-490)
Qubes OS 4.2 officially drops all security support, leaving any lingering installations completely exposed to unpatched vulnerabilities. Users must migrate to version 4.3 through either a clean install that wipes dom0 customizations or an in-place upgrade tool designed to preserve them. The fresh installation route avoids technical headaches but forces a rebuild of modified settings, while the migration path keeps existing setups intact at the cost of navigating a fragile multi-stage process. Since every patch within the 4.2 branch shares the exact same expiration date, waiting past June guarantees running an unsupported system with zero maintenance backing it up.
Qubes Security Bulletin 112 addresses the Floating Point Divider State Sampling vulnerability, also tracked as XSA-488 or CVE-2025-54505, which could let attackers infer data from isolated virtual environments. The flaw specifically targets older AMD processors built on the Zen or Zen Plus microarchitecture, while newer chips and competing brands remain unaffected. Once the packages reach the stable repository, Qubes 4.2 and 4.3 users can install them via the regular update interface. A full system restart is required for the changes to take effect, and Anti Evil Maid owners must also reseal their passphrases since PCR values will shift.
QSB-112: Floating Point Divider State Sampling (XSA-488)
QSB-112: Floating Point Divider State Sampling (XSA-488)
Qubes OS has issued security bulletin 111 highlighting a login bypass issue within the xfce4-screensaver tool that affects version 4.3 configurations. The vulnerability creates a short window during display changes or activation where input bypasses the screensaver and targets the underlying application directly. While exploiting this requires physical access and automation, an attacker could theoretically send commands fast enough to disable the screensaver before it fully engages. Users must install the security updates for dom0 and GUI templates before restarting their system so that the patches take proper effect.
QSB-111: xfce4-screensaver login bypass
QSB-111: xfce4-screensaver login bypass
A vulnerability in the Intel EPT paging code allows attackers to access unintended memory regions due to transiently cached freed pages. This bulletin impacts Qubes OS systems running on x86 Intel hardware where stale entries could point to memory ranges not owned by the guest. Users must apply standard updates to install specific Xen packages like version 4.17.6-3 or 4.19.4-5 based on their Qubes version. After a Dom0 restart, Anti Evil Maid users will need to reseal their secret passphrase as PCR values change due to new Xen binaries.
Qubes OS 4.3.0 has been released with several significant updates that improve security, usability, and performance. Key changes include an upgraded base system using Fedora 41 and the latest Xen Hypervisor version, which powers Qubes' isolation model, as well as improved support for Linux templates and Windows tools integration. The update also brings new features such as preloaded disposable qubes, simplified device handling through a New Devices API, and enhanced GUI with flat icons and customizable background colors.
Qubes OS 4.3.0-rc4 has been released as another step towards the final stable version, introducing updates such as Dom0 switching to Fedora 41 and Xen being updated to version 4.19. Additionally, the developers have incorporated several new features, including improved hardware setup using preloaded disposables and a refreshed New Devices API for more control over managing hardware. The testing process is ongoing, with bug reports being gathered and fixes implemented before potentially releasing another RC if needed.
The third release candidate for Qubes OS 4.3.0 has been released for testing and offers numerous new features and enhancements over its predecessor, Qubes OS 4.2. Key improvements include an upgraded Dom0 to Fedora 41, Xen boosted to version 4.19, and the introduction of a "self-identity-oriented" assignment of devices known as the New Devices API. Additionally, Qubes OS 4.3 includes security features such as special settings for templates, improved support for SSL client certificates and GPG keys, and enhanced anonymity through Whonix-Workstation qubes.
Qubes OS 4.3.0-rc2 is now available for testing, featuring numerous new features and improvements over its predecessor, Qubes OS 4.2. The release includes upgrades to Fedora 41, Xen 4.19, and updated default templates, as well as preloaded disposables, a new device assignment mechanism, and improved Qubes Windows Tools.
The first release candidate for Qubes OS 4.3.0 has been released for testing, showcasing a variety of new features and enhancements compared to Qubes OS 4.2. The release features updates to Dom0, Xen, the default Fedora template, the Debian template, and the Whonix templates. Included are preloaded disposables, a device assignment focused on self-identity orientation, and enhanced Qubes Windows Tools. The stable release is contingent upon the quantity of bugs identified and their level of severity.
The release schedule documentation outlines the procedure for gathering bug reports, prioritizing them, and addressing the issues. If required, a new release candidate is issued, and the process proceeds until a stable release is announced. Testers have the option to upgrade to Qubes 4.3.0-rc1 through a clean installation or by performing an in-place upgrade from Qubes 4.2. It is advisable to perform a complete backup prior to testing, and seasoned users are invited to participate in the testing team. A release candidate represents a software build that may evolve into a stable release, provided that no significant bugs are identified during testing. Minor releases maintain backward compatibility with previous versions of the same major release.
The release of Qubes Security Bulletin (QSB) 108 talks about Transitive Scheduler Attacks (XSA-471), a new type of speculative side-channel attack found by Microsoft and ETH Zurich. The attacks leverage timing information derived from instruction execution, enabling attackers to breach a qube and deduce the contents of any system memory.
QSB-108: Transitive Scheduler Attacks (XSA-471)
QSB-108: Transitive Scheduler Attacks (XSA-471)
Qubes OS 4.2.4 has been released and represents a stable release that brings together security patches, bug fixes, and updates from the prior stable version. The installation method provided is both secure and convenient, utilising a current ISO. The update encompasses all security enhancements, bug resolutions, and an improved Fedora template. Additional information can be found on the downloads page.
Qubes OS 4.2.4-rc1 is now available for testing, incorporating security patches, bug fixes, and updates from the previous stable release. The ISO and verification files can be accessed on the downloads page. Qubes 4.2.4 encompasses all security updates, bug fixes, and features an upgraded Fedora template. Additional details are available in the Qubes OS 4.2 release notes.
A libxl security update is available for Qubes OS:
QSB-106: Information disclosure through uninitialized memory in libxl
QSB-106: Information disclosure through uninitialized memory in libxl
Qubes OS 4.2.has been released with the latest security patches, bug fixes, and other improvements. It provides a secure and convenient installation technique using an up-to-date ISO. The ISO and verification files are available on the downloads page. The release notes for Qubes OS 4.2 provide additional information.
Qubes OS 4.2.3-rc1 is here and ready for some serious testing. This update brings together all the security patches, bug fixes, and other updates that have been made since the last stable release.
Extended security support for Qubes OS 4.1 has ended as of yesterday.
