CVE-2026-23558

NameCVE-2026-23558
DescriptionThe adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xen (PTS)bullseye4.14.6-1vulnerable
bullseye (security)4.14.5+94-ge49571868d-1vulnerable
bookworm, bookworm (security)4.17.5+72-g01140da4e8-1vulnerable
trixie4.20.2+37-g61ff35323e-0+deb13u1vulnerable
trixie (security)4.20.2+7-g1badcf5035-0+deb13u1vulnerable
forky, sid4.20.2+37-g61ff35323e-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xensourcebullseye(unfixed)end-of-life
xensource(unstable)(unfixed)

Notes

[trixie] - xen <no-dsa> (Minor issue)
[bookworm] - xen <no-dsa> (Minor issue)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
https://xenbits.xen.org/xsa/advisory-486.html
Search for package or bug name: Reporting problems