CVEFinder.io

CVE-2026-23558

⚠ī¸ high
🔍 Scan for this CVE
Summary

The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.

CVSS Score
7.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 328,009 vulnerabilities in our database.

#99,625
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: May 19, 2026
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
This issue was discovered by Claude Opus 4.6 and diagnosed as a security issue by Rafal Wojtczuk.
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-362

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
xen xen Affected
> 4.0.0

🔗 References 3

https://xenbits.xenproject.org/xsa/advisory-486.html
Mitigation Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/04/2...
Mailing List Mitigation Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-486.html
Mitigation Patch Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-23557 đŸ”ļ medium 6.5 0.0 Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() tri... 2026-05-19
CVE-2026-23554 ⚠ī¸ high 7.8 0.0 The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, ... 2026-03-23
CVE-2026-23555 ⚠ī¸ high 7.1 0.0 Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstor... 2026-03-23
CVE-2025-58150 ⚠ī¸ high 8.8 0.0 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables... 2026-01-28
CVE-2026-23553 ℹī¸ low 2.9 0.0 In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the pr... 2026-01-28
CVE-2025-58147 ⚠ī¸ high 7.5 0.0 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to whi... 2025-10-31
These CVEs affect the same products