CVE-2026-23554

HIGH 7.8

Use after free of paging structures in EPT

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

4th

The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

Vendor	xen
Product	xen
Published	Mar 23, 2026
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for xen xen

Be the first to know when new high vulnerabilities affecting xen xen are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Xen / Xen

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

xenbits.xenproject.org: https://xenbits.xenproject.org/xsa/advisory-480.html openwall.com: http://www.openwall.com/lists/oss-security/2026/03/17/6 xenbits.xen.org: http://xenbits.xen.org/xsa/advisory-480.html

Credits

This issue was discovered by Roger Pau Monné of XenServer.