Skip to main content

Xen Hypervisor CVE-2026-23559

| EUVDEUVD-2026-42602 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
9.4
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Attacker must run code in a guest (AV:L, PR:L); the guest-to-host escape crosses the security boundary (S:C) with full host C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 16:53 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
9.4 (CRITICAL)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Privilege escalation in the Xen hypervisor (disclosed as XSA-489, CVE-2026-23559, one of a bundle of RB-tree/related flaws alongside CVE-2026-23560/23561/23562/42486) allows a malicious or compromised guest to escape guest confinement and compromise the host, with full confidentiality, integrity and availability impact on both the guest and the surrounding system. The CVSS 4.0 vector (9.4) indicates a local attack surface with scope-changed high subsequent-system impact, consistent with a guest-to-hypervisor escalation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; disclosure is currently pre-NVD via the oss-security mailing list.

Technical ContextAI

The affected technology is the Xen hypervisor, a bare-metal (type-1) virtual machine monitor that isolates untrusted guest domains from the host and from each other. The vulnerability is classified as CWE-250 (Execution with Unnecessary Privileges), the class of bug where a component operates with more privilege than its task requires, so that a fault in that code path grants an attacker host-level or cross-domain capabilities. The advisory (XSA-489 v2) groups CVE-2026-23559 with several sibling CVEs (CVE-2026-23560/23561/23562/42486) described in the mailing-list thread with an 'RB' (red-black tree) reference, suggesting a data-structure handling defect reachable from guest context; the exact affected subsystem is not fully recoverable from the mailing-list dump and should be confirmed against the XSA-489 page. No CPE strings were supplied in the input, so exact affected-package identifiers are not available.

RemediationAI

Patch available per vendor advisory (XSA-489); the input does not include an exact fixed Xen version number, so apply the patches referenced on https://xenbits.xen.org/xsa/advisory-489.html and rebuild or update the hypervisor from your distribution once it ships the corresponding fix, rather than an invented version string. Xen security advisories typically publish per-branch patches and an embargo/patch timeline - follow the specific patch set listed there for your Xen branch. As a compensating control until patched, restrict which guests can run on affected hosts: consolidate only trusted/first-party workloads onto vulnerable hosts and move untrusted or multi-tenant guests off them, since the attack requires code execution inside a guest (trade-off: reduced consolidation density and possible live-migration/downtime). Where feasible, reduce guest attack surface against the affected subsystem per any mitigation guidance in XSA-489 (trade-off: may disable functionality some guests rely on). Do not rely on network controls - the vector is local to the host, so firewalling does not mitigate it.

Share

CVE-2026-23559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy