Skip to main content

Xen CVE-2026-23560

| EUVDEUVD-2026-42603 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
9.4
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Attacker must run code in a guest (AV:L, PR:L) at low complexity; escape to the hypervisor changes scope (S:C) with total host confidentiality, integrity, and availability loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 16:55 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
9.4 (CRITICAL)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Local privilege escalation in the Xen hypervisor, disclosed as part of Xen Security Advisory 489 (XSA-489, which bundles CVE-2026-23559 through CVE-2026-23562 and CVE-2026-42486), allows a malicious or compromised guest domain to break guest/host isolation and gain full control over the hypervisor and co-tenant guests. The CWE-250 (Execution with Unnecessary Privileges) root cause combined with the CVSS 4.0 scope-changed, high-impact-across-the-board vector (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates a guest-to-host escalation rather than a mere in-guest issue. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Xen is a bare-metal (type-1) hypervisor that partitions a physical host into isolated guest domains (domU) managed by a privileged control domain (dom0). The security model depends on the hypervisor strictly confining each guest; any hypervisor-level defect that lets guest-supplied input influence privileged operations collapses that boundary. This CVE is classified CWE-250 (Execution with Unnecessary Privileges), meaning a code path runs with more privilege than the guest context should confer - consistent with the 'Privilege Escalation' tag and the scope change (SC:H) in the CVSS 4.0 vector. The exact defective subsystem cannot be confirmed from the provided data because the oss-security summary is truncated ('Multiple RB…'); the authoritative technical detail resides in XSA-489 at xenbits.xen.org.

RemediationAI

Apply the official Xen patches referenced in XSA-489 (https://xenbits.xen.org/xsa/advisory-489.html) for your supported branch as soon as they are available; downstream users on distribution-packaged Xen (e.g., Debian, SUSE, XCP-ng, Citrix/Cloud Software Group Hypervisor) should upgrade to the vendor build that incorporates the XSA-489 fixes. No exact fixed version number is present in the provided data, so the specific patched release must be taken from XSA-489 itself - do not rely on an assumed version. Because this is a guest-to-host escalation, the strongest compensating control until patching is to reduce trust in guests: avoid running untrusted or multi-tenant workloads on unpatched hosts, consolidate untrusted guests onto separate patched hardware, and where the advisory identifies a specific feature or emulation path as the trigger, disable that path per XSA-489 guidance (trade-off: may reduce guest functionality or performance). Live-migrating untrusted guests off an unpatched host onto a patched one is a viable interim measure in clustered deployments.

Share

CVE-2026-23560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy