CVEFinder.io

CVE-2026-23558

⚠ī¸ high
🔍 Scan for this CVE
Summary

The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.

CVSS Score
7.8
High
EPSS Score
-
Published Date
2026-05-19
First Seen: 2026-05-20
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.7% of all 321,566 vulnerabilities in our database.

#97,378
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: May 19, 2026
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
This issue was discovered by Claude Opus 4.6 and diagnosed as a security issue by Rafal Wojtczuk.
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-362

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
xen xen Affected
> 4.0.0

🔗 References 3

https://xenbits.xenproject.org/xsa/advisory-486.html
Mitigation Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/04/2...
Mailing List Mitigation Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-486.html
Mitigation Patch Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-23557 đŸ”ļ medium 6.5 - Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() tri... 2026-05-19
CVE-2026-23554 ⚠ī¸ high 7.8 0.0 The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, ... 2026-03-23
CVE-2026-23555 ⚠ī¸ high 7.1 0.0 Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstor... 2026-03-23
CVE-2025-58150 ⚠ī¸ high 8.8 0.0 Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables... 2026-01-28
CVE-2026-23553 ℹī¸ low 2.9 0.0 In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the pr... 2026-01-28
CVE-2025-58147 ⚠ī¸ high 7.5 0.0 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to whi... 2025-10-31
These CVEs affect the same products