SB2026031846 - Multiple vulnerabilities in Xen

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Reachable assertion (CVE-ID: CVE-2026-23555)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to improper input validation in xenstored when processing Xenstore commands with the node path of "/local/domain/". A local user can send a specially crafted request containing this illegal path to crash xenstored or force it into an infinite loop, resulting in a denial of service for Xenstore operations.

Exploitation does not require guest privileges beyond the ability to issue Xenstore commands. The vulnerability affects systems using the C variant of xenstored; systems using oxenstored or xenstore-stubdom are not affected.

2) Use-after-free (CVE-ID: CVE-2026-23554)

The vulnerability allows a local user to escalate privileges, cause a denial of service, and leak information.

The vulnerability exists due to a use after free in the Intel EPT paging structures when modifying page mappings under the p2m lock. A local user on the guest OS can trigger the premature release of paging structures before cached EPT state is flushed, leading to stale entries in the cache that reference freed memory. This can result in access to unintended memory regions of the hypervisor.

The vulnerability affects x86 Intel systems with EPT support running Xen 4.17 or later. Only x86 HVM/PVH guests using HAP are able to leverage the vulnerability. Exploitation does not require additional privileges beyond those of a normal guest user, but access to a guest VM is required.

Remediation

Install update from vendor's website.

References

• https://xenbits.xen.org/xsa/advisory-481.html
• https://xenbits.xen.org/xsa/advisory-480.html