VSA-2026-007: XSA-483
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-04-28 | 2026-04-28 | ⚫ Critical | Not available yet | - XCP-ng 8.3 |
A vulnerability in the Xen hypervisor has been discovered. For Vates products, we classify the impact as Critical, as the vulnerability can be exploited from a VM. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor. When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked.
When the domid is eventually reused, the new domain can create fewer nodes before being deemed to be over quota.
Impact
A malicious guest could exhaust host resources and cause a denial-of-service, potentially necessitating a host reboot to return the system to normal operation.
Over an extended period of time, new domains will be able to create fewer and fewer nodes in xenstored, until they are eventually unable to operate at all. A buggy or malicious domain can speed this process up by deliberately hitting its quota.
Affected Versions
- XCP-ng 8.3: Affected.
Mitigation
There are no known mitigation.
Resolution
As of the 2026-04-28, the packages for these components have been updated in the "testing" XCP-ng repositories. We encourage users to wait until the package is updated in our official XCP-ng repositories.
List of packages fixing these issues:
- XCP-ng 8.3:
xen-4.17.6-6.2.xcpng8.3
Credits
This issue was discovered and fixed by Andrii Sultanov of Vates.