VSA-2026-008: XSA-486
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-04-28 | 2026-04-28 | ⚫ Critical | Not available yet | - XCP-ng 8.3 |
A vulnerability on the hypervisor has been discovered. For Vates products, we classify the impact as Critical, as the vulnerability can be exploited from a VM. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor.
A race window could be exploited when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap.
Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.
Impact
Impacts may include privilege escalation, information leaks, and Denial of Service (DoS), with the possibility of effects extending to the entire host.
Affected Versions
- XCP-ng 8.3: Only x86 HVM and PVH guests permitted to use grant table version 2 interfaces can leverage this vulnerability.
Mitigation
Using the gnttab=max-ver:1 Xen command line option will avoid the vulnerability.
Resolution
As of the 2026-04-28, the updated xen-* packages for XCP-ng 8.3 have been updated to address this issue.
List of packages fixing this issue:
- XCP-ng 8.3:
xen-4.17.6-6.2.xcpng8.3
Credits
This issue was discovered by Rafal Wojtczuk of 7bulls and fixed by Jan Beulich of SUSE.