CVE-2026-23558

HIGH 7.8

grant table v2 race in status page mapping

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.

Vendor	xen
Product	xen
Published	May 19, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for xen xen

Be the first to know when new high vulnerabilities affecting xen xen are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Xen / Xen

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

xenbits.xenproject.org: https://xenbits.xenproject.org/xsa/advisory-486.html openwall.com: http://www.openwall.com/lists/oss-security/2026/04/28/13 xenbits.xen.org: http://xenbits.xen.org/xsa/advisory-486.html

Credits

This issue was discovered by Claude Opus 4.6 and diagnosed as a security issue by Rafal Wojtczuk.