VSA-2026-001: XSA-477
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-01-27 | 2026-01-27 | 🟢 Low | Not available yet | - XCP-ng 8.3 |
A new XSA and its associated CVE was published. For Vates products, we classify the impact as Low, given its low risk on our affected LTS products. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor.
Impact​
Bogus trace data is the most likely outcome. There is a possibility there could be unexpected effects.
Affected Versions​
- XCP-ng 8.3 LTS: Only x86 HVM guest with shadow paging mode and with tracing enabled. XCP-ng 8.3 doesn't support shadow paging, so the vulnerability is not triggerable.
Mitigation​
Running HVM guests in HAP mode only will avoid the vulnerability.
Not enabling tracing will also avoid the vulnerability. Tracing is enabled by the "tbuf_size=" Xen command line option, or by running tools like xentrace or xenbaked in Dom0. Note that on a running system stopping xentrace / xenbaked would disable tracing. For xentrace however, this additionally requires that it wasn't started with the -x option. Stopping previously enabled tracing can of course only prevent future damage; prior damage may have occurred and may manifest only later.
Resolution​
As of the 2026-01-27, the updated xen packages for XCP-ng 8.3 are under testing.
Credits​
This issue was discovered, reported and patched by Jan Beulich of SUSE. Thanks to the Xen Project for handling of the disclosure and integration of the patches.