{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23554", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2026-01-14T13:07:36.961Z", "datePublished": "2026-03-23T06:56:52.344Z", "dateUpdated": "2026-03-23T14:19:27.752Z"}, "containers": {"cna": {"title": "Use after free of paging structures in EPT", "datePublic": "2026-03-17T12:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-480"}]}], "configurations": [{"lang": "en", "value": "Xen 4.17 and onwards are vulnerable. Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."}], "workarounds": [{"lang": "en", "value": "There are no mitigations."}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-480.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2026-03-23T06:56:52.344Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"}, {"url": "http://xenbits.xen.org/xsa/advisory-480.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-23T07:32:25.539Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-367", "lang": "en", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:18:54.774466Z", "id": "CVE-2026-23554", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:19:27.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"}, {"url": "http://xenbits.xen.org/xsa/advisory-480.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-23T07:32:25.539Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23554", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T14:18:54.774466Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:17:26.808Z"}}], "cna": {"title": "Use after free of paging structures in EPT", "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."}]}], "affected": [{"vendor": "Xen", "product": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-480"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-17T12:00:00.000Z", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-480.html"}], "workarounds": [{"lang": "en", "value": "There are no mitigations."}], "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}], "configurations": [{"lang": "en", "value": "Xen 4.17 and onwards are vulnerable. Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2026-03-23T06:56:52.344Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23554", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:19:27.752Z", "dateReserved": "2026-01-14T13:07:36.961Z", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "datePublished": "2026-03-23T06:56:52.344Z", "assignerShortName": "XEN"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}], "id": "CVE-2026-23554", "lastModified": "2026-03-23T15:16:32.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T07:16:07.200", "references": [{"source": "security@xen.org", "url": "https://xenbits.xenproject.org/xsa/advisory-480.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://xenbits.xen.org/xsa/advisory-480.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}