Skip to main content

VSA-2026-015: x86 CPU Opcode Cache corruption (XSA-490)

PublishedUpdatedSeverityCVSS 4.0Affected products
2026-05-212026-05-21⚫ CriticalNot available yetXCP-ng 8.3
info

A vulnerability on the Xen hypervisor has been discovered. For Vates products, we classify the impact as Critical, as it impacts directly XCP-ng 8.3. For details on how we assign severity levels, see our Severity Levels Explained page.

Summary

The Xen project recently disclosed a vulnerability affecting all previous versions of the Xen hypervisor and published XSA-490. An incorrect CPU opcode caching behavior can cause instructions to execute at a privilege level higher than intended. The Xen Project published XSA-490 to address this issue.

Only AMD Fam17h (Zen2) CPUs are affected. CPUs from other AMD families and other manufacturers are not known to be vulnerable.

Impact

On affected hardware, code executing at any privilege level may escalate to a higher privilege, this includes the ability to escalate from a guest VM to the host.

XCP-ng hosts running on AMD Zen2 hardware are exposed to this risk, all other CPUs are not affected.

Affected Versions

  • XCP-ng 8.3 LTS: Affected.

Mitigation

tip

Updated microcode package is provided as a convenience to help mitigate hardware vulnerabilities and other bugs. Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.

We released an updated version of amd-microcode (20251203-1.1) on 2025-12-18, which includes the new microcodes. Note that not all affected processors may be covered; please refer to the AMD Security Bulletin in the References section for a list of processors with available updates.

warning

This microcode update requires the following two requirements, please read carefully before applying the update:

  • Your system firmware must support the Entrysign fix described in AMD-SB-7033. Without the Entrysign fix, loading this microcode update will fail.
  • Loading the new microcode format requires an updated Xen package available from xen version 4.17.5-23.1 onward.

Therefore, your system firmware must be recent enough (November or December 2024) and xen must be updated before, or at the same time as amd-microcode.

Resolution

As of 2026-05-21, the xen-* packages for XCP-ng 8.3 have been updated to address this issue.

List of packages fixing this issue:

  • XCP-ng 8.3:
    • xen-4.17.6-9.1.xcpng8.3

References