VSA-2026-005: XSA-480
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-03-17 | 2026-03-19 | ⚫ Critical | Not available yet | - XCP-ng 8.3 |
A vulnerability on the hypervisor has been discovered. For Vates products, we classify the impact as Critical, as the vulnerability can be exploited from a VM. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor. The XSA-480 could potentially allow for privilege escalation, denial of service, or information disclosure.
The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only issue a single flush.
Freeing of paging structures however is not deferred until the flushing is
done, and can result in freed pages transiently being present in cached state.
Such stale entries can point to memory ranges not owned by the guest, thus
allowing access to unintended memory regions.
Impact
Privilege escalation, Denial of Service (DoS) affecting the entire host and information leaks.
Affected Versions
- XCP-ng 8.3: Only x86 Intel systems are vulnerable.
Mitigation
There are no mitigations.
Resolution
As of the 2026-03-19, the updated xen-* packages for XCP-ng 8.3 have been updated to address this issue.
List of packages fixing these issues:
- XCP-ng 8.3:
xen-4.17.6-5.1.xcpng8.3
Credits
This issue was patched by Roger Pau Monné of Citrix.