Skip to main content

Intel CVE-2026-23554

| EUVDEUVD-2026-14382 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-03-23 XEN GHSA-h6vw-38xq-3xwx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 07:15 euvd
EUVD-2026-14382
Analysis Generated
Mar 23, 2026 - 07:15 vuln.today
CVE Published
Mar 23, 2026 - 06:56 nvd
HIGH 7.8

DescriptionCVE.org

The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush.

Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

AnalysisAI

This vulnerability in Intel EPT (Extended Page Tables) paging code within Xen allows information disclosure through a use-after-free condition in cached EPT state management. When paging structures are freed before cached EPT state is flushed, stale entries can persist in the EPT cache pointing to memory ranges outside the guest's intended ownership, enabling unauthorized memory access. Xen across multiple versions is affected, with Ubuntu tracking the issue at medium priority across 7 releases and Debian across 7 releases, making this a widespread concern for virtualization infrastructure.

Technical ContextAI

The vulnerability exists in Xen's Extended Page Tables (EPT) implementation, a hardware-assisted memory virtualization feature used by Intel processors. Xen's p2m (physical-to-machine) paging layer implements an optimization that defers flushing of cached EPT state until the p2m lock is released, allowing multiple modifications under the same lock to issue only a single flush operation for efficiency. However, the implementation fails to defer the freeing of paging structures until after flushing is complete. This creates a race condition where freed pages remain transiently in the EPT Translation Lookaside Buffer (TLB) or similar CPU cache structures, allowing the stale entries to reference memory outside the guest's domain. The root cause falls under memory safety issues—specifically, freeing-of-pointers and use-after-free patterns where cached references to freed memory are not invalidated before deallocation. Affected products are identified via CPE cpe:2.3:a:xen:xen:*:*:*:*:*:*:*:*, indicating all versions of Xen are potentially vulnerable.

RemediationAI

Apply security patches issued by the Xen Project as detailed in XSA-480 advisory (https://xenbits.xenproject.org/xsa/advisory-480.html). The patch modifies the EPT paging code to defer freeing of paging structures until after cached EPT state has been flushed, eliminating the race condition. For Ubuntu and Debian users, monitor your distribution's security updates and apply patches as they become available for your tracked releases. Until patches can be applied, mitigation options are limited by the nature of the vulnerability: ensure strict isolation between guest VMs in multi-tenant environments, disable live migration until patching is complete to avoid exposing stale cached state during transitions, and restrict hypervisor access to trusted administrators. Because the vulnerability is rooted in core paging logic, no network-level or configuration-based workarounds are effective; patching is the primary remediation path.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

Ubuntu

Priority: Medium
xen
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

xen
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 4.14.5+94-ge49571868d-1 -
bookworm, bookworm (security) vulnerable 4.17.5+72-g01140da4e8-1 -
trixie vulnerable 4.20.2+37-g61ff35323e-0+deb13u1 -
trixie (security) vulnerable 4.20.2+7-g1badcf5035-0+deb13u1 -
forky, sid vulnerable 4.20.2+37-g61ff35323e-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP7-SAP-EC2 Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed

Share

CVE-2026-23554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy