VSA-2026-006: Issue with scrubbing of physmap allocated pages
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-03-26 | 2025-03-26 | π΄ Important | Not available | - XCP-ng 8.3 |
A vulnerability on the Xen hypervisor has been discovered. For Vates products, we classify the impact as Important, as the vulnerability might be non trivial to exploit. For details on how we assign severity levels, see our Severity Levels Explained page.
Summaryβ
The Xen project recently fixed a vulnerability that was only present in staging branch upstream, therefore not affecting any published version. Due to this, there is no XSA for this issue.
Unfortunately, the patch introducing the vulnerability was backported to XCP-ng xen package and thus the vulnerability is present in XCP-ng 8.3.
This issue is a bug where the hypervisor failed to sanitize memory pages before handing them over to a new guest during its creation.
Impactβ
The most likely impact is leakage of memory contents of previous guests (e.g. shut-down/crashed guests) to newly-created ones, potentially leading to privilege escalation depending on the secrets leaked.
Affected Versionsβ
- XCP-ng 8.3:
xen-4.17.6-4.1.xcpng8.3and later are affected.
Mitigationβ
There are no known mitigations.
Resolutionβ
As of the 2026-03-26, the updated xen-* packages for XCP-ng 8.3 have been updated to address this issue.
List of packages fixing these issues:
- XCP-ng 8.3:
xen-4.17.6-5.2.xcpng8.3
Creditsβ
This issue was reported and fixed by Roger Pau MonnΓ© of Citrix.