Skip to main content

Xen Hypervisor CVE-2026-42490

HIGH
2026-06-09
Python Citrix Information Disclosure Suse
Share

Severity by source

SUSE
4.1 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 14:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attain control of less-privileged Xen domain
Delivery
Invoke domctl operations targeting vulnerable lock path
Exploit
Acquire system-wide lock before Flask permission check executes
Execution
Repeatedly contest or hold lock without authorization
Persist
Block privileged domctl operations in control domain
Impact
Host management plane denial of service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation XSM/Flask (Xen Security Module with Flask mandatory access control policy) must be explicitly enabled on the Xen host - this is a non-default configuration not present in standard Xen deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided for this CVE, which prevents standard quantitative scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker controlling a less-privileged guest domain on a Xen host with XSM/Flask enabled repeatedly initiates domctl operations that trigger the vulnerable lock-before-check code path, acquiring the system-wide domctl lock without Flask ever authorizing the operation. By holding or repeatedly contesting this lock, the attacker prevents the control domain (dom0) from completing privileged domctl operations such as creating, destroying, or reconfiguring guest VMs, resulting in management plane unavailability and potential host-wide Denial of Service. …
Remediation Apply the XSA-492 patch set distributed by the Xen Project, available for Xen 4.17.x through 4.21.x and the xen-unstable branch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Xen Hypervisor deployments and assess which servers host production workloads. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
CVE-2026-47103 CRITICAL
9.3 Jun 17

Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host pr

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

CVE-2026-42490 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy