PatchSiren cyber security CVE debrief
CVE-2026-23558 Xen CVE debrief
CVE-2026-23558 is a Xen hypervisor race condition that can occur when a guest changes grant table version from v2 to v1 while status pages are being mapped through XENMEM_add_to_physmap. According to the published description, the race can let some status pages be freed while mappings for them are still being inserted into the guest’s secondary page tables, creating a serious memory safety issue in the hypervisor layer. NVD classifies the issue as HIGH severity with a CVSS 3.1 score of 7.8.
- Vendor
- Xen
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations running Xen-based virtualization, especially multi-tenant hosts, cloud platforms, and environments that allow HVM or PVH guests to use grant table operations. Hypervisor and virtualization admins should treat this as a host-isolation issue, not just a guest bug.
Technical summary
The vulnerability is described as a race condition involving two concurrent operations: a grant table version transition from v2 to v1 and mapping of status pages via XENMEM_add_to_physmap. The affected pages can be freed before all related mappings have been fully inserted into the guest’s secondary (P2M) page tables. NVD lists Xen as affected and maps the weakness to CWE-362 (race condition). The CVSS vector provided by NVD is AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, which indicates local access is required but the impact can cross a security boundary and affect confidentiality, integrity, and availability at high levels.
Defensive priority
High. The issue affects a hypervisor component and may undermine guest isolation on systems that rely on Xen for separation. Prioritize patching on shared hosts and any deployment where untrusted or semi-trusted guests can run.
Recommended defensive actions
- Apply the Xen fixes or vendor backported updates associated with XSA-486 as soon as they are available for your platform.
- Check host inventories for Xen deployments and identify systems that run HVM or PVH guests using grant table functionality.
- Prioritize patching multi-tenant or internet-facing virtualization hosts before lower-risk single-tenant systems.
- Monitor vendor advisories and package repositories for confirmed fixed builds, then schedule maintenance windows to update affected hosts.
- After patching, validate that guest management workflows involving grant table version changes and page mapping continue to function normally.
Evidence notes
This debrief is based only on the supplied NVD record and its referenced Xen advisory materials. The NVD description states that a race window remains after prior adjustments for XSA-379 and XSA-387, and that the issue arises during a grant table version change from v2 to v1 in parallel with XENMEM_add_to_physmap mapping of status pages. NVD also provides the CVSS vector, severity, and CWE-362 classification. The vendor advisory reference identifies the issue as XSA-486.
Official resources
-
CVE-2026-23558 CVE record
CVE.org
-
CVE-2026-23558 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Mitigation, Patch, Third Party Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mitigation, Patch, Vendor Advisory
Publicly disclosed by NVD and Xen advisory materials on 2026-05-19; vendor advisory referenced as XSA-486.