GHSA-xh76-qhvp-prh8
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker needs a guest foothold so PR:L and AV:L; low complexity, and guest-to-host escape is a scope change (S:C) yielding full host compromise (C/I/A:H).
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Privilege escalation in the Xen hypervisor (addressed in Xen Security Advisory XSA-489) allows an attacker executing within a guest VM to break isolation and compromise the underlying host, per its CVSS 4.0 subsequent-system impact of High across confidentiality, integrity, and availability. The flaw is rooted in execution with unnecessary privileges (CWE-250) and is one of several issues (CVE-2026-23559 through -23562 and CVE-2026-42486) disclosed together in XSA-489 v2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a CVSS 4.0 base score of 9.4 marks it as critical for multi-tenant virtualization environments.
Technical ContextAI
Xen is a widely used open-source type-1 (bare-metal) hypervisor that hosts multiple guest domains on shared physical hardware, enforcing isolation between guests and between guests and the host control domain (dom0). The weakness is classified as CWE-250, Execution with Unnecessary Privileges, meaning a code path runs with more privilege than required and can be abused to cross the guest/host trust boundary. No CPE strings were supplied in the intelligence provided, so exact affected components within Xen cannot be pinned from the data; the authoritative technical detail lives in Xen Security Advisory 489 (https://xenbits.xen.org/xsa/advisory-489.html), which bundles multiple related issues. The CVSS 4.0 vector's scope-change signals (SC:H/SI:H/SA:H alongside VC/VI/VA:H) are consistent with a guest-to-host escalation where compromising one component leads to full control of a separate, higher-privileged system.
RemediationAI
Apply the fixes published in Xen Security Advisory XSA-489 (https://xenbits.xen.org/xsa/advisory-489.html) as the primary remediation - patch available per vendor advisory; an exact fixed version number was not present in the provided data, so pull the specific patched release or backported patch set for your Xen branch directly from the advisory. Because XSA-489 covers multiple CVEs, ensure you deploy the complete patch set rather than a single fix. As compensating controls where immediate patching is not possible, restrict guest workloads to trusted tenants only and avoid running untrusted or attacker-controlled guests on unpatched hosts (trade-off: reduces multi-tenant density and may not be feasible for public cloud/hosting); consolidate sensitive workloads onto already-patched hosts and live-migrate untrusted guests away from vulnerable hosts (trade-off: migration overhead and temporary capacity reduction); and monitor host and hypervisor logs for anomalous guest behavior. Do not rely on network-layer controls, since the attack vector is local (guest-resident), not network-facing.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42607