CVE-2026-42489

MEDIUM 5.3

domctl lock open to abuse

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

Vendor	xen
Product	xen
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for xen xen

Be the first to know when new medium vulnerabilities affecting xen xen are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Xen / Xen

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

xenbits.xenproject.org: https://xenbits.xenproject.org/xsa/advisory-492.html

Credits

This issue was discovered by Andrew Cooper of Citrix.