CVE-2026-23558

Summary

The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.

Affected Software

VendorProductVersion RangeStatus
XenXenconsult Xen advisory XSA-486unknown

Weaknesses

Workarounds

Using the "gnttab=max-ver:1" hypervisor command line option will avoid the vulnerability.

Using the "max_grant_version=1" guest configuration option for HVM and PVH guests will also avoid the vulnerability.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References