VSA-2026-018: domctl lock open to abuse (XSA-492)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-06-10 | 2026-06-10 | 🟢 Low | Not available yet | - XCP-ng 8.3 |
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor and published XSA-492. For Vates products, we classify the impact as Low as the vulnerability does not rely on the supported XCP-ng use cases. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
In Xen the domctl operations are used to control domains, in XCP-ng this is limited to dom0 control domain. Outside of XCP-ng case it is possible to have a Xenstore domain, or a domain controlling a particular guest. Some of these operations may not be executed in parallel and the current locking does not provide any fairness (CVE-2026-42489).
XCP-ng uses XSM/Silo, and is not impacted by the second part of this vulnerability: When XSM/Flask is in use, the lock acquire will, for some operations, occur ahead of any permission checking (CVE-2026-42490).
Impact​
In theory, a less privileged entity may stall an equally or more privileged entity, potentially leading to a Denial of Service (DoS) of up to the entire host. For XCP-ng this is considered to have no impact in supported use cases.
Affected Versions​
- XCP-ng 8.3: Affected.
Mitigation​
There are no known mitigations.
Resolution​
As of 2026-06-10, and given the low severity, the updated xen-* packages are under testing and will be published along with a future update.
Credits​
This issue was discovered by Andrew Cooper of Citrix.