VSA-2026-003: XSA-479
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-01-27 | 2026-01-29 | π΄ Important | Not available yet | - XCP-ng 8.3 |
A XSA and its associated CVE was published. For Vates products, we classify the impact as Important, as our LTS products are directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.
ERRATA: Original VSA publication stated 2026-01-17 instead of 2026-01-27 as publication date. This has been corrected as the VSA was indeed published of the 27th.
Summaryβ
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor. This vulnerabilities could potentially allow for information disclosure.
Impactβ
Guest processes may leverage information leaks to obtain information intended to be private to other entities in a guest.
Affected Versionsβ
- XCP-ng 8.3 LTS: Affected.
Mitigationβ
Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it has a large overhead.
Resolutionβ
As of the 2026-01-29, the updated xen-* packages for XCP-ng 8.3 have been updated to address this issue.
List of packages fixing these issues:
- XCP-ng 8.3:
xen-4.17.5-23.2.xcpng8.3
Creditsβ
This issue was discovered and reported by David Kaplan of AMD and patched by Roger Pau MonnΓ© of Citrix. Thanks to the Xen Project for handling of the disclosure and publication of the patches.