PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9381 Citrix CVE debrief

CVE-2016-9381 is a high-severity race condition (a double-fetch issue) in Xen’s QEMU-related handling that can allow privilege escalation from inside an affected x86 HVM guest. The NVD record rates it CVSS 7.5 and maps it to CWE-362. If you operate XenServer or QEMU-based Xen deployments, this is the kind of issue that should be treated as a priority patching item, especially where guest administrators are trusted but not fully equivalent to host administrators.

Vendor
Citrix
Product
CVE-2016-9381
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Xen and XenServer operators, virtualization platform admins, and security teams responsible for environments running the affected QEMU or Citrix XenServer versions. Also relevant for anyone allowing administrative users inside x86 HVM guests on those platforms.

Technical summary

The vulnerability is described as a race condition in QEMU within Xen, where a local x86 HVM guest OS administrator can change data on shared rings and exploit a double-fetch pattern. NVD lists affected QEMU versions through 2.7.1 and QEMU 2.8.0-rc0, along with Citrix XenServer 6.0.2, 6.2.0, 6.5, and 7.0. The record assigns CWE-362 and the CVSS v3.1 vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating a local attack that requires elevated privileges but can have serious confidentiality, integrity, and availability impact across a security boundary.

Defensive priority

High. Prioritize if you run any affected XenServer or QEMU/Xen combination, because the flaw can enable privilege escalation and crosses a trust boundary, even though it requires local, high-privilege access in the guest.

Recommended defensive actions

  • Confirm whether any Xen or XenServer hosts in your estate match the affected CPEs listed by NVD, including QEMU through 2.7.1, QEMU 2.8.0-rc0, and XenServer 6.0.2/6.2.0/6.5/7.0.
  • Apply the vendor remediation guidance referenced by Xen Security Advisory 197 and the Citrix support advisory for the specific product line you run.
  • Treat guest OS administrator access on affected systems as high risk until patched, and review whether your tenant or guest trust model assumes stronger isolation than this issue provides.
  • Use maintenance windows to patch and verify the exact platform build after remediation, since the issue is tied to specific product versions rather than a generic configuration flag.
  • Retain monitoring for unusual privilege boundaries or guest-to-host escalation attempts in affected virtualization environments, especially where guest administrators are delegated broad control.

Evidence notes

Evidence in the supplied corpus comes from the NVD modified record and linked advisories. NVD lists the vulnerability as CVSS 3.1 AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, CWE-362, and affected CPEs for QEMU and Citrix XenServer. The CVE was first published on 2017-01-23 and later modified on 2026-05-13; that later date reflects record maintenance, not the original issue date.

Official resources

Public CVE record first published 2017-01-23T21:59:02.800Z and modified 2026-05-13T00:24:29.033Z. No Known Exploited Vulnerabilities entry is present in the supplied corpus.