CVE-2026-42487

HIGH 7.9

x86 HVM I/O port list traversal

CVSS Score

7.9

EPSS Score

0.0%

EPSS Percentile

0th

HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far.

Vendor	xen
Product	xen
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for xen xen

Be the first to know when new high vulnerabilities affecting xen xen are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Xen / Xen

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

xenbits.xenproject.org: https://xenbits.xenproject.org/xsa/advisory-491.html xenbits.xen.org: http://xenbits.xen.org/xsa/advisory-491.html openwall.com: http://www.openwall.com/lists/oss-security/2026/06/09/11

Credits

This issue was discovered by Jan Beulich of SUSE.