Xen Grant Table Race Condition Exposes Hosts to Privilege Escalation
Xen disclosed XSA-486 for CVE-2026-23558, a race condition in grant table v2 status page mapping that affects Xen 4.0 and later. The flaw can be triggered on x86 HVM and PVH guests when a guest switches grant table versions from v2 to v1 while simultaneously mapping status pages through XENMEM_add_to_physmap, potentially leaving freed status pages mapped in secondary P2M page tables. Xen said successful exploitation could result in privilege escalation, information disclosure, or denial of service, including impact to the entire host.
The issue does not affect Xen 3.4 and earlier, cannot be exploited by x86 PV guests, and is not supported on Arm because grant table v2 is unavailable there. Xen published patches for xen-unstable, Xen 4.19.x, and maintained branches from 4.18.x through 4.17.x. As a mitigation, administrators can force grant table version 1 with:
gnttab=max-ver:1
max_grant_version=1
Xen credited Claude Opus 4.6 with discovering the bug and Rafal Wojtczuk with identifying it as a security issue.
Timeline
Apr 28, 2026
Xen releases patches and mitigations for CVE-2026-23558
Alongside the advisory, Xen released fixes for xen-unstable/Xen 4.19.x and supported Xen 4.18.x through 4.17.x branches. Xen also documented mitigations to force grant table version 1 using the hypervisor option "gnttab=max-ver:1" or the guest option "max_grant_version=1" for HVM and PVH guests.
Apr 28, 2026
Xen discloses XSA-486 / CVE-2026-23558 grant table v2 race
Xen published Security Advisory XSA-486 for CVE-2026-23558, a race condition in grant table v2 status page mapping affecting Xen 4.0 and later on x86 HVM and PVH guests. The flaw can lead to privilege escalation, information disclosure, or denial of service, potentially impacting the entire host.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Xen Advisories Disclose Linux Guest Kernel Flaws Enabling Privilege Escalation
Xen has disclosed two Linux guest kernel vulnerabilities affecting virtualized environments, warning that both issues require patching and have no known mitigations. **CVE-2026-31786** (`XSA-485`) affects Linux kernels **4.13 and later** in Xen domains through unsafe handling of the binary build ID exposed at `/sys/hypervisor/properties/buildid`. The bug uses `sprintf()` on a non-null-terminated binary value, which can trigger an out-of-bounds read and, in rare cases, a write past the 4 KB sysfs buffer, potentially leading to **information disclosure, denial of service, or privilege escalation** inside Linux Xen guests. A second advisory, **CVE-2026-31787** (`XSA-487`), describes a **double-free** flaw in the Linux **Xen `privcmd` driver** that allows a **root user in a Linux guest** to bypass kernel lockdown protections tied to secure boot. Xen said the issue affects Linux **PVH or HVM domains** on **x86 and Arm** from kernel **3.8 onward**, while PV domains and non-Linux guests are not affected. The vulnerabilities were reported by **Frediano Ziglio of XenServer** and **Atharva Vartak (@0xAth4rv)**, respectively, and Xen urged operators to apply the supplied Linux patches.
3 days ago
Xen Advisory Warns Linux `privcmd` Flaw Can Bypass Kernel Lockdown
Xen disclosed **XSA-482** for **CVE-2026-31788**, a flaw in the Linux kernel's `privcmd` driver that can let an administrator inside an unprivileged Xen guest bypass kernel lockdown protections enforced under secure boot. The bug can be abused to perform actions on the guest kernel that should be blocked in secure mode, including modifying page tables in a way that could allow user mode to alter kernel memory. The issue affects Xen **PV, PVH, and HVM** guests running Linux with secure boot enabled. Xen said BSD-based systems are believed unaffected because they do not support secure boot in this context. The vulnerability was discovered by **Teddy Astie of Vates**, no mitigation is currently known, and remediation requires applying the published Linux patch set; the latest advisory revision notes that the flaw has now been assigned **`CVE-2026-31788`**.
1 months ago
Xen Patches Cross-Guest Data Leak on AMD Zen1 CPUs
Xen disclosed **XSA-488**, a transient execution vulnerability named **Floating Point Divider State Sampling** that affects x86 deployments running on vulnerable **AMD Fam17h (Zen1)** processors. The flaw was identified by researchers from the **CISPA Helmholtz Center for Information Security**, and Xen said an attacker may be able to infer data from other execution contexts, including **other guest VMs**, creating a cross-tenant confidentiality risk for virtualized environments. According to the advisory, **all Xen versions** are affected when deployed on the impacted CPU family. Xen said **no mitigations are currently available**, but released fixes for `xen-unstable` and the supported **4.20/4.19, 4.18, and 4.17** branches, urging operators on affected hardware to apply the relevant patches to reduce exposure.
3 days ago