CVE-2026-23554

NameCVE-2026-23554
DescriptionThe Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xen (PTS)bullseye4.14.6-1fixed
bullseye (security)4.14.5+94-ge49571868d-1fixed
bookworm, bookworm (security)4.17.5+72-g01140da4e8-1vulnerable
trixie4.20.2+37-g61ff35323e-0+deb13u1vulnerable
trixie (security)4.20.2+7-g1badcf5035-0+deb13u1vulnerable
forky, sid4.20.2+37-g61ff35323e-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xensourcebullseye(not affected)
xensource(unstable)(unfixed)

Notes

[bullseye] - xen <not-affected> (Vulnerable code not present)
https://xenbits.xen.org/xsa/advisory-480.html
Search for package or bug name: Reporting problems