diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix
index 2bf93a79be0d..d270c37f2ce8 100644
--- a/pkgs/applications/virtualization/xen/4.17/default.nix
+++ b/pkgs/applications/virtualization/xen/4.17/default.nix
@@ -16,6 +16,7 @@ let
     with upstreamPatches;
     [
       QUBES_REPRODUCIBLE_BUILDS
+      XSA_462
     ]
   );
 in
diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix
index 2aa731b6f244..21d6de13f1b0 100644
--- a/pkgs/applications/virtualization/xen/4.18/default.nix
+++ b/pkgs/applications/virtualization/xen/4.18/default.nix
@@ -16,6 +16,7 @@ let
     with upstreamPatches;
     [
       QUBES_REPRODUCIBLE_BUILDS
+      XSA_462
     ]
   );
 in
diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix
index 5b8cf5d21788..a1b133704285 100644
--- a/pkgs/applications/virtualization/xen/4.19/default.nix
+++ b/pkgs/applications/virtualization/xen/4.19/default.nix
@@ -18,6 +18,7 @@ let
       QUBES_REPRODUCIBLE_BUILDS
       XSA_460
       XSA_461
+      XSA_462
     ]
   );
 in
diff --git a/pkgs/applications/virtualization/xen/generic/patches.nix b/pkgs/applications/virtualization/xen/generic/patches.nix
index 35abfdd86a91..4bb58d5a4216 100644
--- a/pkgs/applications/virtualization/xen/generic/patches.nix
+++ b/pkgs/applications/virtualization/xen/generic/patches.nix
@@ -134,4 +134,26 @@ in
     cve = [ "CVE-2024-31146" ];
     hash = "sha256-JQWoqf47hy9WXNkVC/LgmjUhkxN0SBF6w8PF4aFZxhM=";
   };
+  # Xen Security Advisory #462: (4.16.6 - 4.19.0)
+  "XSA_462" = xsaPatch {
+    id = "462";
+    title = "x86: Deadlock in vlapic_error()";
+    description = ''
+      In x86's APIC (Advanced Programmable Interrupt Controller) architecture,
+      error conditions are reported in a status register.  Furthermore, the OS
+      can opt to receive an interrupt when a new error occurs.
+
+      It is possible to configure the error interrupt with an illegal vector,
+      which generates an error when an error interrupt is raised.
+
+      This case causes Xen to recurse through vlapic_error().  The recursion
+      itself is bounded; errors accumulate in the the status register and only
+      generate an interrupt when a new status bit becomes set.
+
+      However, the lock protecting this state in Xen will try to be taken
+      recursively, and deadlock.
+    '';
+    cve = [ "CVE-2024-45817" ];
+    hash = "sha256-01lzjaT2f69UfEdTUCkm92DDOmd+Mo8sNPZsHJfgJEM=";
+  };
 }