VSA-2026-003: XSA-479
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-01-17 | 2026-01-17 | π΄ Important | Not available yet | - XCP-ng 8.3 |
A XSA and its associated CVE was published. For Vates products, we classify the impact as Important, as our LTS products are directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.
Summaryβ
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor. This vulnerabilities could potentially allow for information disclosure.
Impactβ
Guest processes may leverage information leaks to obtain information intended to be private to other entities in a guest.
Affected Versionsβ
- XCP-ng 8.3 LTS: Affected.
Mitigationβ
Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it has a large overhead.
Resolutionβ
As of 2026-01-17 the package xen is under testing.
Creditsβ
This issue was discovered and reported by David Kaplan of AMD and patched by Roger Pau MonnΓ© of Citrix. Thanks to the Xen Project for handling of the disclosure and publication of the patches.