diff --git a/xen.spec b/xen.spec
index 4213c7e..f1878f4 100644
--- a/xen.spec
+++ b/xen.spec
@@ -46,7 +46,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -99,6 +99,7 @@ Patch19: xen.pygrubtitlefix.patch
 Patch20: xen.xsm.enable.patch
 Patch21: xen.64.bit.hyp.on.ix86.patch
 Patch22: xsa73-4.3-unstable.patch
+Patch23: xsa75-4.3-unstable.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -280,6 +281,7 @@ manage Xen virtual machines.
 %patch21 -p1
 %endif
 %patch22 -p1
+%patch23 -p1
 
 %patch100 -p1
 
@@ -812,10 +814,14 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Sat Nov 09 2013 Michael Young <m.a.young@durham.ac.uk> - 4.3.1-2
+- Host crash due to HVM guest VMX instruction execution
+    [XSA-75, CVE-2013-4551] (#1028599)
+
 * Fri Nov 01 2013 Michael Young <m.a.young@durham.ac.uk> - 4.3.1-1
 - update to xen-4.3.1
 - Lock order reversal between page allocation and grant table locks
-    [XSA-73, CVE-2013-4494]
+    [XSA-73, CVE-2013-4494] (#1026248)
 
 * Tue Oct 29 2013 Michael Young <m.a.young@durham.ac.uk> - 4.3.0-10
 - ocaml xenstored mishandles oversized message replies
diff --git a/xsa75-4.3-unstable.patch b/xsa75-4.3-unstable.patch
new file mode 100644
index 0000000..b3724c3
--- /dev/null
+++ b/xsa75-4.3-unstable.patch
@@ -0,0 +1,55 @@
+nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing
+
+Otherwise uninitialized data may be used, leading to crashes.
+
+This is XSA-75.
+
+Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/vmx/vvmx.c
++++ b/xen/arch/x86/hvm/vmx/vvmx.c
+@@ -1509,15 +1509,10 @@ static void clear_vvmcs_launched(struct 
+     }
+ }
+ 
+-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
++static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
+ {
+     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
+     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
+-    int rc;
+-
+-    rc = vmx_inst_check_privilege(regs, 0);
+-    if ( rc != X86EMUL_OKAY )
+-        return rc;
+ 
+     /* check VMCS is valid and IO BITMAP is set */
+     if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
+@@ -1536,6 +1531,10 @@ int nvmx_handle_vmresume(struct cpu_user
+     struct vcpu *v = current;
+     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
+     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
++    int rc = vmx_inst_check_privilege(regs, 0);
++
++    if ( rc != X86EMUL_OKAY )
++        return rc;
+ 
+     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
+     {
+@@ -1555,10 +1554,13 @@ int nvmx_handle_vmresume(struct cpu_user
+ int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
+ {
+     bool_t launched;
+-    int rc;
+     struct vcpu *v = current;
+     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
+     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
++    int rc = vmx_inst_check_privilege(regs, 0);
++
++    if ( rc != X86EMUL_OKAY )
++        return rc;
+ 
+     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
+     {