VSA-2026-012: Vulnerability in XCP-ng Windows Guest Tools
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| XXXX-XX-XX | XXXX-XX-XX | 🟢 Low | Not available yet | - XCP-ng Windows Guest Tools |
A vulnerability was discovered in XenClean/XenBootFix that are part of the XCP-ng Windows Guest Tools. We classify the impact as Low. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
We recently discovered a vulnerability affecting the XCP-ng Windows Guest Tools. The vulnerability allows a malicious DLL located in the same directory as XenClean and XenBootFix to hijack its execution and execute untrusted code.
Impact​
The impact is execution of untrusted code. As the XenClean/XenBootFix processes run with Administrator privileges, the impact can include local privilege escalation.
Affected Versions​
- XCP-ng Windows Guest Tools: XenClean/XenBootFix versions 9.1.148 and below.
Mitigation​
Do not use any affected versions of XenClean or XenBootFix.
If your VM is running XCP-ng Windows Guest Tools 9.1.146, you don't need to update. You just need to replace any XenClean and XenBootFix files you downloaded.
Resolution​
Users are recommended to only use the latest XenClean and XenBootFix versions from https://github.com/xcp-ng/win-pv-drivers/releases.
List of packages fixing these issues:
- XCP-ng Windows Guest Tools: version 9.1.152 or later
- XCP-ng 8.3:
- xcp-ng-pv-tools version 8.3-17 or later
Credits​
Discovered and fixed by Tu Dinh of Vates.
References​
No CVE assigned yet.