VSA-2026-002: XSA-478

Published	Updated	Severity	CVSS 4.0	Affected products
2026-01-27	2026-01-27	⚫ Critical	Not available yet	- XCP-ng 8.3

info

A XSA and its associated CVE was published. For Vates products, we classify the impact as Critical, as our LTS products are directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.

Summary

The Xen project recently disclosed a vulnerability affecting various versions of the XAPI. This vulnerability could potentially allow for privilege escalation.

Impact

An attacker with kernel level access in a VM can escalate privilege via gaining code execution within varstored.

Affected Versions

XCP-ng 8.3 LTS: Only x86 HVM guest with firmware=uefi is set on HVM-boot-params. This is the default for Windows and modern Linux templates.

Mitigation

There are no mitigations.

Resolution

As of 2026-01-27, the varstored package is currently under testing.

Credits

This issue was discovered, reported by Teddy Astie of Vates and patched by Andrew Cooper of Citrix. Thanks to the Xen Project for handling of the disclosure and publication of the patches.

Summary​

Impact​

Affected Versions​

Mitigation​

Resolution​

Credits​

References​