CVE-2026-23553
2.9
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider:
- vCPU runs on CPU A, running task 1.
- vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.
- On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.
- vCPU moves back to CPU A. Xen skips IBPB again.
Now, task 2 is running on CPU A with task 1's training still in the BTB.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Xen | Xen | consult Xen advisory XSA-479 | unknown |
Weaknesses
Workarounds
Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it is a large overhead.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.