SB2026060946 - Multiple vulnerabilities in Xen

Description

This security bulletin contains information about 5 vulnerabilities.

1) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-42488)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges, cause a denial of service, or disclose sensitive information.

The vulnerability exists due to improper state management in the x86 shadow paging mapcache metadata handling when switching page tables on certain shadow paging error paths. A local user can trigger the affected shadow mode conditions from a 64-bit PV guest to escalate privileges, cause a denial of service, or disclose sensitive information.

Only x86 systems are affected, and exploitation is possible only from 64-bit PV guests running in shadow mode.

2) Improper access control (CVE-ID: CVE-2025-10263)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in Stage 2 translation handling when invalidating translation lookaside buffer entries on affected Arm systems. A remote user can trigger writes from a malicious guest after write permissions have been revoked to escalate privileges.

Only Xen on Arm in multi-core configurations is affected. The issue does not affect reads.

3) Improper access control (CVE-ID: CVE-2026-42490)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access control in domctl operations when acquiring the system-wide lock before permission checking for some operations with XSM/Flask in use. A local user can invoke domctl operations that acquire the lock before permission checks to cause a denial of service.

This issue occurs only when XSM/Flask is in use.

4) Improper locking (CVE-ID: CVE-2026-42489)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock management in domctl operations when acquiring a system-wide lock for operations that may not be executed in parallel. A local user can repeatedly invoke domctl operations to cause a denial of service.

The issue can allow a less privileged entity to stall an equally or more privileged entity, potentially affecting the entire host.

5) Race condition (CVE-ID: CVE-2026-42487)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper synchronization in the I/O port mapping list traversal logic when handling guest I/O port accesses. A remote user can modify I/O port mappings during traversal to cause a denial of service.

Only x86 systems are vulnerable. Exploitation requires control of an HVM guest device model running in a stub domain or de-privileged in Dom0.

Remediation

Install update from vendor's website.

References

• https://xenbits.xen.org/xsa/advisory-494.html
• https://xenbits.xen.org/xsa/advisory-493.html
• https://xenbits.xenproject.org/xsa/advisory-493.html
• https://xenbits.xen.org/xsa/advisory-492.html
• https://xenbits.xen.org/xsa/advisory-491.html