GHSA-3rr8-7v6m-2h7r
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker must run code in a guest (AV:L, PR:L) at low complexity; escape to the hypervisor changes scope (S:C) with total host confidentiality, integrity, and availability loss.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Local privilege escalation in the Xen hypervisor, disclosed as part of Xen Security Advisory 489 (XSA-489, which bundles CVE-2026-23559 through CVE-2026-23562 and CVE-2026-42486), allows a malicious or compromised guest domain to break guest/host isolation and gain full control over the hypervisor and co-tenant guests. The CWE-250 (Execution with Unnecessary Privileges) root cause combined with the CVSS 4.0 scope-changed, high-impact-across-the-board vector (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates a guest-to-host escalation rather than a mere in-guest issue. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Xen is a bare-metal (type-1) hypervisor that partitions a physical host into isolated guest domains (domU) managed by a privileged control domain (dom0). The security model depends on the hypervisor strictly confining each guest; any hypervisor-level defect that lets guest-supplied input influence privileged operations collapses that boundary. This CVE is classified CWE-250 (Execution with Unnecessary Privileges), meaning a code path runs with more privilege than the guest context should confer - consistent with the 'Privilege Escalation' tag and the scope change (SC:H) in the CVSS 4.0 vector. The exact defective subsystem cannot be confirmed from the provided data because the oss-security summary is truncated ('Multiple RB…'); the authoritative technical detail resides in XSA-489 at xenbits.xen.org.
RemediationAI
Apply the official Xen patches referenced in XSA-489 (https://xenbits.xen.org/xsa/advisory-489.html) for your supported branch as soon as they are available; downstream users on distribution-packaged Xen (e.g., Debian, SUSE, XCP-ng, Citrix/Cloud Software Group Hypervisor) should upgrade to the vendor build that incorporates the XSA-489 fixes. No exact fixed version number is present in the provided data, so the specific patched release must be taken from XSA-489 itself - do not rely on an assumed version. Because this is a guest-to-host escalation, the strongest compensating control until patching is to reduce trust in guests: avoid running untrusted or multi-tenant workloads on unpatched hosts, consolidate untrusted guests onto separate patched hardware, and where the advisory identifies a specific feature or emulation path as the trigger, disable that path per XSA-489 guidance (trade-off: may reduce guest functionality or performance). Live-migrating untrusted guests off an unpatched host onto a patched one is a viable interim measure in clustered deployments.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42603