Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN608 _____________________________________________________________________ DATE : 09/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen. ===================================================================== https://xenbits.xen.org/xsa/advisory-491.html https://xenbits.xen.org/xsa/advisory-492.html https://xenbits.xen.org/xsa/advisory-493.html https://xenbits.xen.org/xsa/advisory-494.html _____________________________________________________________________ Xen Security Advisory CVE-2026-42487 / XSA-491 version 2 x86 HVM I/O port list traversal UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far. IMPACT ====== A device model of a HVM guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only entities controlling HVM guests can leverage the vulnerability. These are device models running in either a stub domain or de-privileged in Dom0. MITIGATION ========== Running only PV or PVH guests will avoid the vulnerability. (Switching from a device model stub domain or a de-privileged device model to a fully privileged Dom0 device model does NOT mitigate this vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". The security of a Xen system using stub domains is still better than with a qemu-dm running as a Dom0 process. Users and vendors of stub qemu dm systems should not change their configuration to use a Dom0 qemu process.) CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa491.patch xen-unstable xsa491-4.21.patch Xen 4.21.x - Xen 4.17.x $ sha256sum xsa491* 23a90da1c71389083351846169fc565a671b44f5f4ba838b18fc0fa6d7582bf8 xsa491.patch 443674f42a092b953b6ba4d91cfa19bfbee0077dfcd5a39ae53368e40ed23aac xsa491-4.21.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2026-42489,CVE-2026-42490 / XSA-492 version 3 domctl lock open to abuse UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490. IMPACT ====== A less privileged entity may stall an equally or more privileged entity, potentially leading to a Denial od Service (DoS) of up to the entire host. VULNERABLE SYSTEMS ================== All Xen versions from 3.3 onwards are vulnerable. Earlier versions use a different locking operation, but may also be vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. NOTE: The staging and 4.21 patches include an adjustment to the default Flask policy. When custom policies are in use, a respective change will need making there. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa492/xsa492-??.patch xen-unstable xsa492/xsa492-4.21-*.patch Xen 4.21.x xsa492/xsa492-4.20-*.patch Xen 4.20.x xsa492/xsa492-4.19-*.patch Xen 4.19.x xsa492/xsa492-4.18-*.patch Xen 4.18.x xsa492/xsa492-4.17-*.patch Xen 4.17.x $ sha256sum xsa492*/* 63352768b73f07b930185c5e02a57d6cf01f803020baf91c0868d4d13c328ada xsa492/xsa492-01.patch c4621381aa70785f78cba48c2a83a61a397941d907ff96978f6a0ee53e272c6d xsa492/xsa492-02.patch fb2413fc6d250cc3bbebee3d6d9c2c13d8cb22670e02d92ffdf4e6d4c4cd1781 xsa492/xsa492-03.patch 1d8e4fb30145ec084d6847624d3445074cb3d2d11983555e20e83f47fa6b082b xsa492/xsa492-4.17-00.patch 3ebd555a3a95ac2f3569566ae8635258029512ea1209ab1cc87a0acbbab0371d xsa492/xsa492-4.17-01.patch 0f2fc5f48cadcf8ebcb47363e4a355b209ce43e9d29f296fea62e7e49961b6cc xsa492/xsa492-4.17-02.patch 9f33b50c4ae0836e40891d2dcf106e9bee178394557563747130eb60c8d80d98 xsa492/xsa492-4.17-03.patch 57b988d15a5c76b0e7b828c64150a9ac7ebc3fd82cced5b19f5e7986e498790f xsa492/xsa492-4.17-04.patch f8e0eedaacb535158fadd5b8695f78db630075c417ffff60e50cdc9bd4ef9809 xsa492/xsa492-4.17-05.patch dd9a6f79ba21ec3840f8591656819117e8b6cb5c43cd8d556b3bfc43eff0e866 xsa492/xsa492-4.17-06.patch 057c2b1e57fb1134054c9f31bc6a21387d3f56880bdc270f12a277028d3d3f0e xsa492/xsa492-4.17-07.patch bea7d3da84529768a55022196dc72e56fec49f48c933acc0c130dc530e479fed xsa492/xsa492-4.17-08.patch 32c322e2d9c9c2d7159e8aea4f8e4c66f9512046baf49127554b8485f0a6b233 xsa492/xsa492-4.17-09.patch 0a5d858d2c07990e3f0f86f1433199f06a5cbbf71013e67e92ea42d29d855f08 xsa492/xsa492-4.17-10.patch f06d1cc9fa48c1411bbee4bd27583268b4bc6e6dfffbb816d16b238759b819c9 xsa492/xsa492-4.17-11.patch 0a1f15cade87920b68d6725444525845eebfd87847ac3bd79edfe8034ee7d69a xsa492/xsa492-4.17-12.patch 3a11ab04730d06bf513ac1cc138ced306972dcfb574dcedd96c0af3e1825e792 xsa492/xsa492-4.17-13.patch 2b4b541a620a0e0d6b14b664d414c33807fbbff0328878332025b331bf367152 xsa492/xsa492-4.17-14.patch 362f412392e6deff71aa27a849f84f457b231d78c0b0ce5ff8125acad6d81166 xsa492/xsa492-4.17-15.patch 9d38b126c62e7d6e37b88a3f8879e3f96c3cdc0a8b087a1541d3eb2779dddc28 xsa492/xsa492-4.17-16.patch cc88c36af3ad28c5f782c05afc2972cfa5f2d10933c2f10bb8651b35fb3fb5b9 xsa492/xsa492-4.17-17.patch 28fd452acfea8b6f47fe5315a4e9125e06f073107f4da81b8cf9cfd405c1fb81 xsa492/xsa492-4.18-00.patch 965778b12e11e65963f3ae1641699384fec3274e09038ee945f137ecb214fda9 xsa492/xsa492-4.18-01.patch e4dec4550afb6e010f12ffa782b168d428976697206985ed9b478dba1ce6d087 xsa492/xsa492-4.18-02.patch d1b84fd8b60bd3e68a403f890a99975b4600447f018a2454ec96e6d36c8133bf xsa492/xsa492-4.18-03.patch 399a32394bafe04834d0927dfebb25b676e8186303414cc2d00aaf7496ceb7eb xsa492/xsa492-4.18-04.patch 971d8802dce02250dfe0b97488ac7471c9ec40ad59e712c86628e6ed085052de xsa492/xsa492-4.18-05.patch 69fb9b404942a001102ffa473c821fe6f2ec834ec61c0c096a5e099988a5184c xsa492/xsa492-4.18-06.patch eef5610ac16c88764a24af7d7a88766b7cb35fd7aa2211d5251418e1e24cd73a xsa492/xsa492-4.18-07.patch 81a98a4ad7bfe80d5ab9570fc24618b6b0d8ad1bbea0c7b64e111db12c3d880d xsa492/xsa492-4.18-08.patch ac8666d08a690dbf6a418befc259d3c9120a7bab4b5aee454d96745e81d1b7e4 xsa492/xsa492-4.18-09.patch 0f5dcc2c22f0635b9dc2a271dcb0d3d518c29e32847dcd53523ed833b28cb388 xsa492/xsa492-4.18-10.patch 20e49ae722a10f834029aaed14cc130e155396e23505dc5b7ea8bf534538225d xsa492/xsa492-4.18-11.patch e6992e7dd686ed6c973754889a5f751e3c330268f373041a50145387c7cd0017 xsa492/xsa492-4.18-12.patch c06ad87cd7262f20e560320b35cd90f5354d244aed7912d01e03914b4e8dc429 xsa492/xsa492-4.18-13.patch dbf79d33d0c8f0d3d846f450e8ebac7c191996d824ef391ff9f8413a6d733060 xsa492/xsa492-4.18-14.patch d7c23e1acbff4154fbabf4ce6bede0ad212a9a1673f1f3f57dc313a694497b79 xsa492/xsa492-4.18-15.patch c5347ddf16789ab7d6b96e89e55116f248b56ee5bcac2fd5398563cffc6b7d06 xsa492/xsa492-4.18-16.patch 952b09b60cdb2c8a27ead0e77744add60d48e053ad0515019928d1a4d839e12e xsa492/xsa492-4.18-17.patch b8fecc7c43b3c6e6df00f77be89127fdd628f6ee0f819b622af4ce92b99c7948 xsa492/xsa492-4.18-18.patch 44b826e2c6fbac8e90b383c1e556ef92272c14186aaf8b83feb417eacd9d1d5d xsa492/xsa492-4.19-00.patch 965778b12e11e65963f3ae1641699384fec3274e09038ee945f137ecb214fda9 xsa492/xsa492-4.19-01.patch e091273f87c80fdf3671accfa3e74bf55f1931f0a4828cd81bf6bcb835d85e1a xsa492/xsa492-4.19-02.patch e91084d7d61a737e9d5625aa6c4582fbf4ba7bd0b5dcc963fa88cf530cdaeb46 xsa492/xsa492-4.19-03.patch c778eaa47fcedff1db398f1301ed05e41e1dbd4be0ea5ed95f46ed30dbcdcebd xsa492/xsa492-4.19-04.patch d645785ea47cdcf82c1aabe31c2a3f0cb3f3977152abc7226a72ac00861f3981 xsa492/xsa492-4.19-05.patch f73f4316859ee6579cc76cc9a1b83976151ffaa6504cc0e31c5f8240a08de1b7 xsa492/xsa492-4.19-06.patch 778c9862ff28a9c0c717c749f598fce59ae997287a2784d990a83cadfc1d33aa xsa492/xsa492-4.19-07.patch bf115087899d1245a28438a032701b5cd7c6c23b54e2b8c371fd63a0f03fab33 xsa492/xsa492-4.19-08.patch 24d59c55d5cc50b02fcbeb6b6c6803460d5cd9c5c570f758d2350431d2eaf84e xsa492/xsa492-4.19-09.patch 274520906d1d700bbb8fcf6b20ae2241b7ac348e629e9ddb74ee1954a70a8421 xsa492/xsa492-4.19-10.patch fce37cbb80e2c117c181517bf8970cc017e34ab6fe76177d4248b0de11ed5def xsa492/xsa492-4.19-11.patch 3f4ce0153c1f72afc7aef1249bf3eda984fba0a33bfb743b044ea00a6a8a649b xsa492/xsa492-4.19-12.patch 851a1002916655dc6080d9dfafe0ec3ead6b0036a75417abe578bfd0feb62d81 xsa492/xsa492-4.19-13.patch e3942ee271b1eaad57a994fe1fae66cc419bd6e1906d63f76316080d06ebb3c4 xsa492/xsa492-4.19-14.patch e4ac87f343a4a07f13f71128612a2c2291c3488a91e3a4f9450e1ba3f6ad5387 xsa492/xsa492-4.19-15.patch 3fc255759588c8c5c38b23231f4cacffd1b74150489c8469c9a2fd033960de97 xsa492/xsa492-4.19-16.patch de1b799184e192c42c6880fd881c0c2b5d875cc59e1d7311b503b91607598493 xsa492/xsa492-4.19-17.patch 545f7bb417976dbabe347d035a363874b8402877168ab789f3629008d009d45b xsa492/xsa492-4.19-18.patch 9a092bba381acc3061dbbaa73a237aa6eec3e9313d3ce0da61e18bfb88a021ab xsa492/xsa492-4.20-01.patch cd0da8fff3874e6ef120cd2511d9c6820f9fe55c26e6df2dbd1472c0001a9a18 xsa492/xsa492-4.20-02.patch 47e0903d30b4d8c1b557fb924cbd8af4ed29bc799972a539f38a04f89bcead60 xsa492/xsa492-4.20-03.patch c878e0d086032948de3c21b15258ed3fb94f935e02859030e19d3238ed5c38bf xsa492/xsa492-4.20-04.patch 765ed1d22e8c3c16f85b66846ea4b61bab5214445c72785acff67441331ab797 xsa492/xsa492-4.20-05.patch 2a16e862743f2e0a276bafb37847b5dfd97249ff93daa92d75bf839905a0030c xsa492/xsa492-4.20-06.patch 8053a4fad16268ccaddbffcc52fffabae8a47e6ff4f1f83140c3ee7bccf97305 xsa492/xsa492-4.20-07.patch 223298c5fcd68cac15d87026141a6adfbc07f5f05a1577e58b7569a6467ab6ed xsa492/xsa492-4.20-08.patch 649f634aca4943886cf9ab02650993eb0e4ca7d2e1648239813ea68f4a0df015 xsa492/xsa492-4.20-09.patch 7666dce350ee5e4eb4d284c851a074423252282dcf2e0d5621a0277da00c05bb xsa492/xsa492-4.20-10.patch 57f7d845972af8c595869857b16658345ca03956e0a82d6c9e87542f02b5fe98 xsa492/xsa492-4.20-11.patch 55a8356f6a8dd2f0ca1904c21f25bd77abcebedf37b33710b7cacdec4f34f230 xsa492/xsa492-4.20-12.patch 9e75bcd02512b28133b0c608c67e17bef038df7d4fdd6f91813c42d5da294fc2 xsa492/xsa492-4.20-13.patch 34f19a0c48fb23ed0669334530f8c4206bec76f53f584c3d7a99bde19503edfd xsa492/xsa492-4.20-14.patch 640fe725ddc35c6f3b70468a1f4d5b16f17b9c9817e70bd48b1628efdd75a4a1 xsa492/xsa492-4.20-15.patch d56f9d42acc925377b81768005d524801d1841b3afe0351e23f99ee06a40a01f xsa492/xsa492-4.20-16.patch 65165d7a6337d416eb193c50b3cfcb9d0ae85e7e1bdfcfa2b87449547e607c85 xsa492/xsa492-4.20-17.patch f04d3a090e30d5333191975e1486fe905fa0d26dcb98b84bd05ec37a9fc0875a xsa492/xsa492-4.20-18.patch 8b5c37b6eb1fc7f6b996dfd27c273e54b552a3a47c5b886bf05f512741491ede xsa492/xsa492-4.21-01.patch 7d0991610408600cb61b045fa09dea0e378a0ff7fd69dde3fc12dfdf857f7175 xsa492/xsa492-4.21-02.patch a0e60503408cbf7ffcdfe10ea9989631e924bb98040629ef1e544b4b771a8109 xsa492/xsa492-4.21-03.patch 2c8dd916a2b23dffc96bf3894a9b1213af87ca969549cb1f4d43b20b3a4fcef0 xsa492/xsa492-4.21-04.patch b97054289876287980ebbf07fcc2f8b2d493388f70c397aa047856664475199d xsa492/xsa492-4.21-05.patch 31677c9abcb3ede946a55401fc5bf5a965aff0b151b20144946400dd33d9de16 xsa492/xsa492-4.21-06.patch 04c9ec91ffa0b719b78dd95325433b7a9b2a36f712aaa11d4d86568454d62bb0 xsa492/xsa492-4.21-07.patch 89d80c6d0ac31aa55964d6d6f5aa9cd73c7887f8c51caf047d5312cbba64cbf1 xsa492/xsa492-4.21-08.patch 9ad936500fed5a4346b59d13ae0dc158a3199921eb4f24b0dc769fba046dcee3 xsa492/xsa492-4.21-09.patch 566de44fd6cc63f8252eb4cb617881497706f46578cea5bec24c94059f9b2ec5 xsa492/xsa492-4.21-10.patch 348ae9e83eaf8f4f5d7af19a37d24b8ab98849aa0d0afd60d20139d3c3de287f xsa492/xsa492-4.21-11.patch 46ffaaab2aa919edc29c6ec3eae47573879481a5f1dc86887177b5669469c0b7 xsa492/xsa492-4.21-12.patch 7b183f27d264b9dd3a1f0daf758b6563493fb91dc434ee443754972fdeeccfc6 xsa492/xsa492-4.21-13.patch 6ad6e6d3c74ab675f156efea374cddf2ec6253d541840517db466fd81ad07407 xsa492/xsa492-4.21-14.patch 5af5ba298c1119a569c17f4cc30ff6b000663bae0e88daa77fc760517039c296 xsa492/xsa492-4.21-15.patch 78f4273344aae2f16c725a4914bc3f6c3e24a6daf4b2989dc6fef8a415721a90 xsa492/xsa492-4.21-16.patch d178ebc53aa010692f77f45f39eaaf80ac3c2f4289a22727e355c530473cc5f5 xsa492/xsa492-4.21-17.patch 7724f047e4466ed46a53acc0b2a7bbbef5cf187bb459385810be40b55222c921 xsa492/xsa492-4.21-18.patch 79f24e539e1fbe1becb12abc0acf5ae2bfc8eb050fbaf45a5e8dfc9bfad66e45 xsa492/xsa492-4.21-19.patch 295260a51fdf5605f7a55c5f78639baeb17b820e28d6c03a93e7d8da3ccd16a9 xsa492/xsa492-4.21-20.patch 85fa36453fc4dcabc468fa870dd81efe6945ec5eca5da84eda8b3317527255aa xsa492/xsa492-04.patch c6d225644365a7d6cd284fa52b8240333baf51ff7bf6ff9264b0496fb6c60eab xsa492/xsa492-05.patch a6e99b4d9c6db7305a1ab426aabf16d296e01b1f1e966c9773e4c7e2a8d045d1 xsa492/xsa492-06.patch e1be3cd0c991d3626f3cbdaf8a70aab756b2c7c0cec734f7f6f5f3fc776167a0 xsa492/xsa492-07.patch 5308abfd84083cb6ffbcc8f8eb3ff4452da09666adf7740af203c764770c9ff1 xsa492/xsa492-08.patch d150da12954c776b47bf813f553eb784ce792c674464474ff24fff172b1249e1 xsa492/xsa492-09.patch db67d1342177697dd83de757b8c29477ccb71fb91239b0362f23c722e2e744f8 xsa492/xsa492-10.patch ed8140d31c764763cbb1fec06653d066fcdcd3a2862edb1a60e51096ba731d46 xsa492/xsa492-11.patch 0323bdf50a97f30f9a98b145575c466d9af8eddedb8a2e8c3d7a643b46cab3c1 xsa492/xsa492-12.patch 61605cec3fcbf980e89b458c48742dd9e911b6dc217ed47f3806c0f049b39129 xsa492/xsa492-13.patch 533e227aefdb4d2dd06c0ffe6c3caa1e865dd12a7919b0e5a55f0863a290d1d3 xsa492/xsa492-14.patch 5f47dee12852e252116d2e4cbf5c7a18f412316e00346ec3845185e2c77eb438 xsa492/xsa492-15.patch 1300425e6a4f7f759cb08d02f5fb20002e9af275985144e987b5357b6cc3189e xsa492/xsa492-16.patch 89075c922eca804d6eda4dc5a7200a750ce16718a791e58813c2a869e09bfe90 xsa492/xsa492-17.patch 552d430465b89dbd15165cf3a03fa95a9d2d9cacd29cd3fc5c44c511596d39cf xsa492/xsa492-18.patch e7fe60cfb996eec460e9de2acce7a32b0b3fb3557cd35945faec67b4909c663d xsa492/xsa492-19.patch 15edac4769d98a09085bef4845f9485017611ffb9b0a9c65ac32cae557531ccc xsa492/xsa492-20.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2025-10263 / XSA-493 version 2 Arm: Completion of memory accesses not guaranteed by completion of a TLBI UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= A hardware issue has been identified in certain Arm CPU designs. A broadcast TLBI on one PE may complete before affected memory accesses on another PE are globally observed. This may permit bypass of Stage 1 translation, Stage 2 translation, or GPT protection. The erratum occurs when all of the following conditions are met: - A PE (PEx) executes a store. - Another PE (PEy) executes a TLBI instruction which applies to Stage 1 only information, Stage 1 and 2 information, or GPT information (but not Stage 2 only information), applies to the Inner Shareable or Outer Shareable domain containing PEx, and affects at least one of the bytes accessed by PEx's store. - PEy executes a DSB instruction which is sufficient to complete the TLBI instruction. - Complex micro-architectural conditions occur. When all conditions are met, PEy's DSB may complete before the global observation of a portion of PEx's store which was affected by the TLB invalidation. This store may complete at a later time, after memory accesses which are ordered after the DSB. The relevant TLB entries are invalidated correctly before the completion of the DSB. This erratum does not affect reads. For more details, please refer to the Arm Security Center: https://developer.arm.com/Arm%20Security%20Center IMPACT ====== A malicious guest may be able to write to memory it no longer has permission to write to, after Xen has modified Stage 2 translation to forbid writes to that location. This could allow a guest to escalate its privileges to that of the hypervisor. VULNERABLE SYSTEMS ================== Only systems running Xen on Arm are affected. x86 systems are not vulnerable. Only multi-core configurations are affected. The following Arm CPUs are affected: - Arm C1-Ultra, C1-Premium - Neoverse V3 & V3AE, Neoverse V2, Neoverse V1, Neoverse N2, Neoverse N1 - Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C, Cortex-A77, Cortex-A76 & A76AE MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was reported by Arm. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa493/xsa493-??.patch xen-unstable xsa493/xsa493-4.21-??.patch Xen 4.21.x xsa493/xsa493-4.20-??.patch Xen 4.20.x xsa493/xsa493-4.19-??.patch Xen 4.19.x xsa493/xsa493-4.18-??.patch Xen 4.18.x xsa493/xsa493-4.17-??.patch Xen 4.17.x $ sha256sum xsa493*/* b065245ad3e22d19a0a1f26af6978ebf52f1d59f4ddeb4aeb03eb198bc12f2fd xsa493/xsa493-01.patch d8f3896d4916867aaefe340ce4d2bce0c3698c093e59ee863677d6524f43a000 xsa493/xsa493-02.patch d77017101f424f792b560b37c82d75108b68ff9183a640fa680ba6f5fc9928aa xsa493/xsa493-03.patch a1cd4eabe923d1d4197c95a9ce8f233a226a49cd4bf6c8651b7a11f89fccc0ed xsa493/xsa493-4.17-01.patch 7238d3bbfe6bfd96fac0da8fb36456c23519938fe694a9f90a9f7317ba1c8fdb xsa493/xsa493-4.17-02.patch b561f4c7365fd6f39a35661bcc74330126abdf7f022e6340b56c6beaf5dad9c2 xsa493/xsa493-4.17-03.patch 84f818e5549cc48ca93cc7f153162881c825c51cc1da1d7e677ca1779db4e2a7 xsa493/xsa493-4.17-04.patch 1226029b0bdb4091979819bcbbe4480cb4dc4c8073758dcfa4c418dec5ff49e5 xsa493/xsa493-4.17-05.patch 59f49949a1cb27580e846cbc08402f496228de129607a90c84603c9961d7c51e xsa493/xsa493-4.17-06.patch f6175dc3287d38ec7c225dee428e17d6dd66c2457668942fadbf5aff78cffa1b xsa493/xsa493-4.17-07.patch da413bb5e5e3114e7cbbfa8ee26ffed61f902475d2ef809893a2b4002d41dd01 xsa493/xsa493-4.17-08.patch 3ef94e7a74c4e5c06655174245d004819ce6dfdc1d54f63c2463e5edf8ea182b xsa493/xsa493-4.17-09.patch 5d604ef4efffe2a199dbe8e4dcb46883e1ec294b71f7d2679bcbfa4a3d6ae168 xsa493/xsa493-4.18-01.patch 074fad2b5bf195337c0799d59493a621e1020d8cb9834ed2997997b208d498d3 xsa493/xsa493-4.18-02.patch df6dcfc54ddfee83e2bfc00448d7a3dedda9c8c0858ea3258ebdaf674d9cf8a4 xsa493/xsa493-4.18-03.patch cc3457e14c2b35afef35a9fd3cc3905f6e03b0f30333b56b963bc1577dbcf4a8 xsa493/xsa493-4.18-04.patch 4b523acb3b5904d649531f8c78e701ec9384e02045fc941d2ae061f28d9c5e73 xsa493/xsa493-4.18-05.patch 3511018842968d19e34e949800d638d648ddfaad7511f80f53acfb96af244750 xsa493/xsa493-4.19-01.patch 5e157dd88c71d10323f3102f555a069c1ded6ecb203a69d53c7e441ecaaa06fc xsa493/xsa493-4.19-02.patch 5da2ee837cb3bd151af442397c32bd5afca508b4d2f237fd6a395f20d41b740a xsa493/xsa493-4.19-03.patch 797955e752e4010b2df5dadf75bf210a00a8ad1bfe6ee8848b5b68734ec3cd2b xsa493/xsa493-4.19-04.patch dfa9616895e9768b6f0d7c6efc903b00e2e51af4e0f5c38a29e79d17ea272b86 xsa493/xsa493-4.19-05.patch 0e50dae0a0dddeb2755f761f966a8d0a9186246504dacda4dd5994367f71ea8e xsa493/xsa493-4.20-01.patch 9d9911d02f5ca5aaaf9fe3700e0ff66371d1bb469471e4bf6c305a786329f3d1 xsa493/xsa493-4.20-02.patch 9058d6dfe2fcbedbb0b10d529e9e3d3e7635381d12b41383832e163aff156002 xsa493/xsa493-4.20-03.patch eb81f949744f3e748a871dc81eb0774e58faeb3bcc6c486f2237b9f516fdad00 xsa493/xsa493-4.20-04.patch d4eb81c40cedbdd425429c340da45d7bb344b63d71328d8cc978fc70f606804d xsa493/xsa493-4.20-05.patch bd2e39066c4f9a9ed20a9214d6dd4cb71a5fa34349129398dba03b684ab49478 xsa493/xsa493-4.21-01.patch b4b603075259fa6274b61a09133d59c8846910a29dd5b0d5af2d55a0adc67659 xsa493/xsa493-4.21-02.patch 721d339f1c18f6867d5a5a0d02e3edceb8d97ed08725787b3537969a656d74f6 xsa493/xsa493-4.21-03.patch bfc9c9b005968f33f8a33116be7f8ce9918cd3020f35f8bd173727ac19bb0261 xsa493/xsa493-4.21-04.patch 738177c22c9b081165fb4500c05ddf53b7e9e1de68b3190462eb8cb66a5aa6a5 xsa493/xsa493-4.21-05.patch 0d6bca07e5177f4e13c572410224c5cea0c10b5004c370dd742c7c725d98a9be xsa493/xsa493-04.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html _____________________________________________________________________ Xen Security Advisory CVE-2026-42488 / XSA-494 version 3 x86: mismatched mapcache metadata UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the mapcache. IMPACT ====== Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks. VULNERABLE SYSTEMS ================== Xen 4.15 and onwards are vulnerable. Any Xen version with the fix for XSA-438 applied is vulnerable. Only x86 systems are vulnerable. Only 64-bit PV guests can leverage the vulnerability, and only when running in shadow mode. Shadow mode would be in use when migrating guests or as a workaround for XSA-273 (L1TF). MITIGATION ========== Running only HVM or PVH guests will avoid the vulnerability. Running PV guests in the PV shim will also avoid the vulnerability. CREDITS ======= This issue was discovered by Roger Pau Monné of XenServer. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa494.patch xen-unstable xsa494-4.21.patch Xen 4.21.x xsa494-4.20.patch Xen 4.20.x - Xen 4.19.x xsa494-4.18.patch Xen 4.18.x xsa494-4.17.patch Xen 4.17.x $ sha256sum xsa494* 6e3328f73000afdfffa5e4d9fec89a4c9456d97758bfa1a0605765a386565328 xsa494.patch 483675d6cb69b70e919110f58814b047787c3b53def344cf32f4acdd7ee9b271 xsa494-4.17.patch e637dce8cd5ecf7c30501ab2eb0af5240ff0a36844b257ca7dd14094d5118aa2 xsa494-4.18.patch a70aa60fb5dcf171025c5d90e332dcae95a83bbf9d42ab45451f629621f455e5 xsa494-4.20.patch 14f9698060c523893f710cc5ab3ec723c75a99e5caa193b9281d4a06016bf687 xsa494-4.21.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================