CVEFinder.io

CVE-2026-23553

ℹī¸ low
🔍 Scan for this CVE
Summary

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, t

Description

In the context switch logic Xen attempts to skip an IBPB in the case of
a vCPU returning to a CPU on which it was the previous vCPU to run.
While safe for Xen's isolation between vCPUs, this prevents the guest
kernel correctly isolating between tasks. Consider:

1) vCPU runs on CPU A, running task 1.
2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.
3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.
4) vCPU moves back to CPU A. Xen skips IBPB again.

Now, task 2 is running on CPU A with task 1's training still in the BTB.

CVSS Score
2.9
Low
EPSS Score
0.0
Exploit Probability
Published Date
2026-01-28
First Seen: 2026-01-29
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 1.8% of all 321,566 vulnerabilities in our database.

#315,780
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Jan 28, 2026
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
🏆 Discovered By
This issue was discovered by David Kaplan of AMD.
SSVC data provided by CISA
Last Modified 2026-02-09
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE IDs (Weakness Types)
CWE-665 CWE-693

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
xen xen Affected
> 4.6.0

🔗 References 3

https://xenbits.xenproject.org/xsa/advisory-479.html
Mitigation Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/27/3
Mailing List Mitigation Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-479.html
Mitigation Patch Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-23557 đŸ”ļ medium 6.5 - Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() tri... 2026-05-19
CVE-2026-23558 ⚠ī¸ high 7.8 - The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or ... 2026-05-19
CVE-2026-23554 ⚠ī¸ high 7.8 0.0 The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, ... 2026-03-23
CVE-2026-23555 ⚠ī¸ high 7.1 0.0 Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstor... 2026-03-23
CVE-2025-58150 ⚠ī¸ high 8.8 0.0 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables... 2026-01-28
CVE-2025-58147 ⚠ī¸ high 7.5 0.0 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to whi... 2025-10-31
These CVEs affect the same products