Skip to main content

Xen Hypervisor CVE-2026-23562

| EUVDEUVD-2026-42607 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
9.4
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Attacker needs a guest foothold so PR:L and AV:L; low complexity, and guest-to-host escape is a scope change (S:C) yielding full host compromise (C/I/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 16:59 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
9.4 (CRITICAL)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Privilege escalation in the Xen hypervisor (addressed in Xen Security Advisory XSA-489) allows an attacker executing within a guest VM to break isolation and compromise the underlying host, per its CVSS 4.0 subsequent-system impact of High across confidentiality, integrity, and availability. The flaw is rooted in execution with unnecessary privileges (CWE-250) and is one of several issues (CVE-2026-23559 through -23562 and CVE-2026-42486) disclosed together in XSA-489 v2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a CVSS 4.0 base score of 9.4 marks it as critical for multi-tenant virtualization environments.

Technical ContextAI

Xen is a widely used open-source type-1 (bare-metal) hypervisor that hosts multiple guest domains on shared physical hardware, enforcing isolation between guests and between guests and the host control domain (dom0). The weakness is classified as CWE-250, Execution with Unnecessary Privileges, meaning a code path runs with more privilege than required and can be abused to cross the guest/host trust boundary. No CPE strings were supplied in the intelligence provided, so exact affected components within Xen cannot be pinned from the data; the authoritative technical detail lives in Xen Security Advisory 489 (https://xenbits.xen.org/xsa/advisory-489.html), which bundles multiple related issues. The CVSS 4.0 vector's scope-change signals (SC:H/SI:H/SA:H alongside VC/VI/VA:H) are consistent with a guest-to-host escalation where compromising one component leads to full control of a separate, higher-privileged system.

RemediationAI

Apply the fixes published in Xen Security Advisory XSA-489 (https://xenbits.xen.org/xsa/advisory-489.html) as the primary remediation - patch available per vendor advisory; an exact fixed version number was not present in the provided data, so pull the specific patched release or backported patch set for your Xen branch directly from the advisory. Because XSA-489 covers multiple CVEs, ensure you deploy the complete patch set rather than a single fix. As compensating controls where immediate patching is not possible, restrict guest workloads to trusted tenants only and avoid running untrusted or attacker-controlled guests on unpatched hosts (trade-off: reduces multi-tenant density and may not be feasible for public cloud/hosting); consolidate sensitive workloads onto already-patched hosts and live-migrate untrusted guests away from vulnerable hosts (trade-off: migration overhead and temporary capacity reduction); and monitor host and hypervisor logs for anomalous guest behavior. Do not rely on network-layer controls, since the attack vector is local (guest-resident), not network-facing.

Share

CVE-2026-23562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy