CVE-2026-23554 (GCVE-0-2026-23554)
Vulnerability from cvelistv5
Published
2026-03-23 06:56
Modified
2026-03-23 14:19
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
References
Impacted products
Vendor Product Version
Xen Xen Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-23T07:32:25.539Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-480.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23554",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T14:18:54.774466Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-367",
                "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T14:19:27.752Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-480"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen 4.17 and onwards are vulnerable.  Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."
        }
      ],
      "datePublic": "2026-03-17T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T06:56:52.344Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-480.html"
        }
      ],
      "title": "Use after free of paging structures in EPT",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are no mitigations."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2026-23554",
    "datePublished": "2026-03-23T06:56:52.344Z",
    "dateReserved": "2026-01-14T13:07:36.961Z",
    "dateUpdated": "2026-03-23T14:19:27.752Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/17/6\"}, {\"url\": \"http://xenbits.xen.org/xsa/advisory-480.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-23T07:32:25.539Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23554\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T14:18:54.774466Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T14:17:26.808Z\"}}], \"cna\": {\"title\": \"Use after free of paging structures in EPT\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by Roger Pau Monn\\u00e9 of XenServer.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Privilege escalation, Denial of Service (DoS) affecting the entire host,\\nand information leaks.\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-480\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-03-17T12:00:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-480.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There are no mitigations.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Intel EPT paging code uses an optimization to defer flushing of any cached\\nEPT state until the p2m lock is dropped, so that multiple modifications done\\nunder the same locked region only issue a single flush.\\n\\nFreeing of paging structures however is not deferred until the flushing is\\ndone, and can result in freed pages transiently being present in cached state.\\nSuch stale entries can point to memory ranges not owned by the guest, thus\\nallowing access to unintended memory regions.\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"Xen 4.17 and onwards are vulnerable.  Xen 4.16 and older are not vulnerable.\\n\\nOnly x86 Intel systems with EPT support are vulnerable.\\n\\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\\nsystems.\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2026-03-23T06:56:52.344Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-23554\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-23T14:19:27.752Z\", \"dateReserved\": \"2026-01-14T13:07:36.961Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2026-03-23T06:56:52.344Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.