VSA-2026-017: x86 HVM I/O port list traversal (XSA-491)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-06-10 | 2026-06-10 | 🟢 Low | Not available yet | - XCP-ng 8.3 |
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor and published XSA-491. For Vates products, we classify the impact as Low, as our analysis shows it is unlikely to be exploitable. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may change at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far.
Impact​
An attacker compromising a device model of a HVM guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host. Privilege escalation and information leaks cannot be ruled out. Due to the administrator and permission model used by XCP-ng, we consider this unlikely to have an actual impact in our product.
Affected Versions​
- XCP-ng 8.3: Affected.
Mitigation​
The only known mitigation is to only run PV or PVH guests.
Resolution​
As of 2026-06-10, and given the low severity, the updated xen-* packages are under testing and will be published along with a future update.
Credits​
This issue was discovered by Jan Beulich of SUSE.