GHSA-f6rw-qmp5-m443
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local guest-to-host escape (AV:L) requiring a guest foothold (PR:L), low complexity, with scope change (S:C) to the host giving full C/I/A impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Privilege escalation in the Xen hypervisor (tracked in Xen Security Advisory XSA-489, bundled with CVE-2026-23559 through CVE-2026-23562) allows a local attacker operating within a guest context to break isolation and gain control over the underlying host. The CWE-250 root cause (execution with unnecessary privileges) combined with a scope-changing CVSS 4.0 vector (9.4) means a compromised or malicious guest can impact the host and other co-resident guests. This was disclosed pre-NVD via the oss-security mailing list on 2026/04/29; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
Xen is a bare-metal (type-1) hypervisor that partitions physical hardware into isolated guest domains (domU) managed by a privileged control domain (dom0). The weakness is classified as CWE-250, Execution with Unnecessary Privileges, meaning a code path in the hypervisor or a supporting component operates with more privilege than required, so an operation that should be confined to a guest can reach host-level state. XSA-489 groups several related 'RB' (ring-buffer/reference-counting) issues (CVE-2026-23559/23560/23561/23562/42486), indicating a shared subsystem defect in how Xen mediates guest-to-host operations. Precise affected component and hardware/build configuration are defined in the Xen advisory rather than the NVD CPE data, which is not yet populated for this pre-NVD entry.
RemediationAI
Apply the fixes and patches referenced in Xen Security Advisory XSA-489 at https://xenbits.xen.org/xsa/advisory-489.html as the primary remediation; consult that advisory for the exact patched Xen versions and per-branch backports, as an exact fix version was not included in the provided input. No vendor-released fix version is independently confirmed here - treat the advisory as the authoritative source. As compensating controls until patched, reduce guest attack surface by limiting who can run untrusted or attacker-controlled guests on affected hosts, avoid co-locating sensitive workloads with untrusted tenants, and restrict guest access to the specific hypervisor feature identified in XSA-489 if the advisory documents a configuration-based mitigation; the trade-off is potential loss of the affected functionality and reduced tenant density. Monitor host and dom0 integrity for signs of guest escape.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42608