Xen Advisory Warns Linux `privcmd` Flaw Can Bypass Kernel Lockdown
Xen disclosed XSA-482 for CVE-2026-31788, a flaw in the Linux kernel's privcmd driver that can let an administrator inside an unprivileged Xen guest bypass kernel lockdown protections enforced under secure boot. The bug can be abused to perform actions on the guest kernel that should be blocked in secure mode, including modifying page tables in a way that could allow user mode to alter kernel memory.
The issue affects Xen PV, PVH, and HVM guests running Linux with secure boot enabled. Xen said BSD-based systems are believed unaffected because they do not support secure boot in this context. The vulnerability was discovered by Teddy Astie of Vates, no mitigation is currently known, and remediation requires applying the published Linux patch set; the latest advisory revision notes that the flaw has now been assigned CVE-2026-31788.
Timeline
Mar 24, 2026
XSA-482 version 3 adds CVE-2026-31788 assignment
A later revision of Xen Security Advisory 482 noted that the vulnerability had been assigned CVE-2026-31788. The update did not change the core impact, which includes possible page-table modification that could enable user-mode modification of kernel memory inside affected Linux guests.
Mar 24, 2026
Xen publishes XSA-482 for Linux privcmd kernel lockdown bypass
Xen disclosed Security Advisory XSA-482 for a flaw in the Linux kernel's privcmd driver that can let an administrator in an unprivileged Xen guest bypass secure-boot kernel lockdown protections. The advisory said affected systems include Xen PV, PVH, and HVM guests running Linux with secure boot, with no known mitigation other than applying the provided Linux patches.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
2 more from sources like oss security mailing list and blueteamsec
Related Stories
Xen Advisories Disclose Linux Guest Kernel Flaws Enabling Privilege Escalation
Xen has disclosed two Linux guest kernel vulnerabilities affecting virtualized environments, warning that both issues require patching and have no known mitigations. **CVE-2026-31786** (`XSA-485`) affects Linux kernels **4.13 and later** in Xen domains through unsafe handling of the binary build ID exposed at `/sys/hypervisor/properties/buildid`. The bug uses `sprintf()` on a non-null-terminated binary value, which can trigger an out-of-bounds read and, in rare cases, a write past the 4 KB sysfs buffer, potentially leading to **information disclosure, denial of service, or privilege escalation** inside Linux Xen guests. A second advisory, **CVE-2026-31787** (`XSA-487`), describes a **double-free** flaw in the Linux **Xen `privcmd` driver** that allows a **root user in a Linux guest** to bypass kernel lockdown protections tied to secure boot. Xen said the issue affects Linux **PVH or HVM domains** on **x86 and Arm** from kernel **3.8 onward**, while PV domains and non-Linux guests are not affected. The vulnerabilities were reported by **Frediano Ziglio of XenServer** and **Atharva Vartak (@0xAth4rv)**, respectively, and Xen urged operators to apply the supplied Linux patches.
3 days ago
Xen Patches Cross-Guest Data Leak on AMD Zen1 CPUs
Xen disclosed **XSA-488**, a transient execution vulnerability named **Floating Point Divider State Sampling** that affects x86 deployments running on vulnerable **AMD Fam17h (Zen1)** processors. The flaw was identified by researchers from the **CISPA Helmholtz Center for Information Security**, and Xen said an attacker may be able to infer data from other execution contexts, including **other guest VMs**, creating a cross-tenant confidentiality risk for virtualized environments. According to the advisory, **all Xen versions** are affected when deployed on the impacted CPU family. Xen said **no mitigations are currently available**, but released fixes for `xen-unstable` and the supported **4.20/4.19, 4.18, and 4.17** branches, urging operators on affected hardware to apply the relevant patches to reduce exposure.
3 days ago
Xen Grant Table Race Condition Exposes Hosts to Privilege Escalation
Xen disclosed **XSA-486** for `CVE-2026-23558`, a race condition in grant table v2 status page mapping that affects Xen **4.0 and later**. The flaw can be triggered on **x86 HVM and PVH guests** when a guest switches grant table versions from v2 to v1 while simultaneously mapping status pages through `XENMEM_add_to_physmap`, potentially leaving freed status pages mapped in secondary P2M page tables. Xen said successful exploitation could result in **privilege escalation, information disclosure, or denial of service**, including impact to the entire host. The issue does **not** affect Xen 3.4 and earlier, cannot be exploited by x86 PV guests, and is not supported on Arm because grant table v2 is unavailable there. Xen published patches for **xen-unstable**, **Xen 4.19.x**, and maintained branches from **4.18.x through 4.17.x**. As a mitigation, administrators can force grant table version 1 with: ```bash gnttab=max-ver:1 max_grant_version=1 ``` Xen credited **Claude Opus 4.6** with discovering the bug and **Rafal Wojtczuk** with identifying it as a security issue.
3 days ago