VSA-2026-019: Arm TLBI completion issue (XSA-493)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-06-10 | 2026-06-10 | ⚪ N/A | Not available yet | - None (Arm only) |
info
The Xen project recently disclosed a vulnerability affecting various versions of the Xen hypervisor and published XSA-493. For Vates products, this vulnerability is not applicable, as it only affects Xen running on Arm architectures. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary
A hardware issue has been identified in certain Arm CPU designs. A broadcast TLBI on one PE may complete before affected memory accesses on another PE are globally observed. This may permit bypass of Stage 1 translation, Stage 2 translation, or GPT protection.
Impact
No impact for XCP-ng.
Affected Versions
- XCP-ng 8.3: Not affected, as ARM is not supported.
Mitigation
There are no known mitigations.
Resolution
This advisory does not affect any Vates products. No action is required.