SB20260428207 - Multiple vulnerabilities in Xen

Description

This security bulletin contains information about 5 vulnerabilities.

1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-23556)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper resource management in oxenstored quota use counts when tearing down and reusing domain IDs. A remote user can deliberately hit its quota and reboot a domain to cause a denial of service.

Only systems configured to use oxenstored are vulnerable.

2) Reachable assertion (CVE-ID: CVE-2026-23557)

CWE-ID: CWE-617 - Reachable Assertion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an assertion failure in xenstored when processing an XS_RESET_WATCHES command within a transaction. A remote attacker can issue a crafted XS_RESET_WATCHES command within a transaction to cause a denial of service.

Only systems using the C variant of xenstored or xenstore-stubdom built without NDEBUG are vulnerable.

3) Out-of-bounds read (CVE-ID: CVE-2026-31786)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or escalate privileges.

The vulnerability exists due to an out-of-bounds read in the Xen-related sysfs buildid handler when reading the /sys/hypervisor/properties/buildid sysfs file. A local user can read the crafted sysfs output to disclose sensitive information, cause a denial of service, or escalate privileges.

In rare cases, the issue may also result in writing past the 4 kB sysfs buffer if no zero byte is found in adjacent data.

4) Race condition (CVE-ID: CVE-2026-23558)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges, disclose sensitive information, or cause a denial of service.

The vulnerability exists due to a race condition in status page mapping via XENMEM_add_to_physmap when changing the grant table version from v2 to v1 in parallel with mapping status pages. A remote user can trigger concurrent grant table version changes and status page mappings to escalate privileges, disclose sensitive information, or cause a denial of service.

Only x86 HVM and PVH guests permitted to use grant table version 2 interfaces can leverage this vulnerability.

5) Double free (CVE-ID: CVE-2026-31787)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.

The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.

Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.

Remediation

Install update from vendor's website.

References

• https://xenbits.xen.org/xsa/advisory-483.html
• https://xenbits.xen.org/xsa/advisory-484.html
• https://xenbits.xen.org/xsa/advisory-485.html
• https://xenbits.xen.org/xsa/advisory-486.html
• https://xenbits.xen.org/xsa/advisory-487.html