CVE-2026-23553

EPSS 0.02%
Veröffentlicht 28.01.2026 15:33:44
Zuletzt bearbeitet 29.01.2026 16:31:00
Quelle security@xen.org
CVE-Watchlists
Login
Unerledigt
Login

In the context switch logic Xen attempts to skip an IBPB in the case of
a vCPU returning to a CPU on which it was the previous vCPU to run.
While safe for Xen's isolation between vCPUs, this prevents the guest
kernel correctly isolating between tasks.  Consider:

 1) vCPU runs on CPU A, running task 1.
 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.
 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.
 4) vCPU moves back to CPU A.  Xen skips IBPB again.

Now, task 2 is running on CPU A with task 1's training still in the BTB.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerXen

≫

Produkt Xen

Default Statusunknown

Version consult Xen advisory XSA-479

Status unknown

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.042

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	2.9	1.4	1.4	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

https://xenbits.xenproject.org/xsa/advisory-479.html

http://www.openwall.com/lists/oss-security/2026/01/27/3

http://xenbits.xen.org/xsa/advisory-479.html

https://nvd.nist.gov/vuln/detail/CVE-2026-23553

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23553

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23553

EUVD