diff --git a/pkgs/applications/virtualization/xen/generic/patches.nix b/pkgs/applications/virtualization/xen/generic/patches.nix
index 33b4cdf8035e..35abfdd86a91 100644
--- a/pkgs/applications/virtualization/xen/generic/patches.nix
+++ b/pkgs/applications/virtualization/xen/generic/patches.nix
@@ -99,21 +99,6 @@ in
     })
   ];
 
-  # Xen Security Advisory #458: (4.16.6 - 4.19-rc3)
-  "XSA_458" = xsaPatch {
-    id = "458";
-    title = "Double unlock in x86 guest IRQ handling";
-    description = ''
-      An optional feature of PCI MSI called "Multiple Message" allows a device
-      to use multiple consecutive interrupt vectors.  Unlike for MSI-X, the
-      setting up of these consecutive vectors needs to happen all in one go.
-      In this handling an error path could be taken in different situations,
-      with or without a particular lock held. This error path wrongly releases
-      the lock even when it is not currently held.
-    '';
-    cve = [ "CVE-2024-31143" ];
-    hash = "sha256-yHI9Sp/7Ed40iIYQ/HOOIULlfzAzL0c0MGqdF+GR+AQ=";
-  };
   # Xen Security Advisory #460: (4.16.6 - 4.19.0)
   "XSA_460" = xsaPatch {
     id = "460";
diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh
index a7318aef0324..185fee74774c 100755
--- a/pkgs/applications/virtualization/xen/update.sh
+++ b/pkgs/applications/virtualization/xen/update.sh
@@ -120,7 +120,7 @@ for version in "${supportedVersions[@]}"; do
     echo -e "Found the following patches:\n  \e[1;32mXen\e[0m:     \e[1;33m$discoveredXenPatchesEcho\e[0m\n  \e[1;36mQEMU\e[0m:    \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n  \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n  \e[1;36mOVMF\e[0m:    \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n  \e[1;36miPXE\e[0m:    \e[1;33m$discoveredIPXEPatchesEcho\e[0m"
 
     # Prepare patches that are called in ./patches.nix.
-    defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458" "XSA_460" "XSA_461" )
+    defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_460" "XSA_461" )
     read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: '
     defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}})
     upstreamPatches=${defaultPatchList[*]}