Skip to main content

Xen Hypervisor CVE-2026-42486

| EUVDEUVD-2026-42608 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
9.4
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Local guest-to-host escape (AV:L) requiring a guest foothold (PR:L), low complexity, with scope change (S:C) to the host giving full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 17:00 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
9.4 (CRITICAL)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Privilege escalation in the Xen hypervisor (tracked in Xen Security Advisory XSA-489, bundled with CVE-2026-23559 through CVE-2026-23562) allows a local attacker operating within a guest context to break isolation and gain control over the underlying host. The CWE-250 root cause (execution with unnecessary privileges) combined with a scope-changing CVSS 4.0 vector (9.4) means a compromised or malicious guest can impact the host and other co-resident guests. This was disclosed pre-NVD via the oss-security mailing list on 2026/04/29; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

Xen is a bare-metal (type-1) hypervisor that partitions physical hardware into isolated guest domains (domU) managed by a privileged control domain (dom0). The weakness is classified as CWE-250, Execution with Unnecessary Privileges, meaning a code path in the hypervisor or a supporting component operates with more privilege than required, so an operation that should be confined to a guest can reach host-level state. XSA-489 groups several related 'RB' (ring-buffer/reference-counting) issues (CVE-2026-23559/23560/23561/23562/42486), indicating a shared subsystem defect in how Xen mediates guest-to-host operations. Precise affected component and hardware/build configuration are defined in the Xen advisory rather than the NVD CPE data, which is not yet populated for this pre-NVD entry.

RemediationAI

Apply the fixes and patches referenced in Xen Security Advisory XSA-489 at https://xenbits.xen.org/xsa/advisory-489.html as the primary remediation; consult that advisory for the exact patched Xen versions and per-branch backports, as an exact fix version was not included in the provided input. No vendor-released fix version is independently confirmed here - treat the advisory as the authoritative source. As compensating controls until patched, reduce guest attack surface by limiting who can run untrusted or attacker-controlled guests on affected hosts, avoid co-locating sensitive workloads with untrusted tenants, and restrict guest access to the specific hypervisor feature identified in XSA-489 if the advisory documents a configuration-based mitigation; the trade-off is potential loss of the affected functionality and reduced tenant density. Monitor host and dom0 integrity for signs of guest escape.

Share

CVE-2026-42486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy