From xen-announce-bounces@lists.xenproject.org Wed Apr 08 13:32:37 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 08 Apr 2026 13:32:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1276097.1561725 (Exim 4.92) (envelope-from ) id 1wAT0b-000591-H1; Wed, 08 Apr 2026 13:31:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1276097.1561725; Wed, 08 Apr 2026 13:31:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wAT0b-00058t-E8; Wed, 08 Apr 2026 13:31:53 +0000 Received: by outflank-mailman (input) for mailman id 1276097; Wed, 08 Apr 2026 13:10:55 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wASgJ-0000aj-Go for xen-announce@lists.xenproject.org; Wed, 08 Apr 2026 13:10:55 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wASgI-00648u-T0 for xen-announce@lists.xenproject.org; Wed, 08 Apr 2026 15:10:54 +0200 Received: from [10.42.69.10] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69d653d3-e002-0a2a0a5209dd-0a2a450ab698-38 for ; Wed, 08 Apr 2026 15:10:54 +0200 Received: from [209.85.128.44] (helo=mail-wm1-f44.google.com) by tlsNG-4011c0.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.0) (envelope-from ) id 69d653de-ee98-0a2a450a0019-d155802cb985-3 for ; Wed, 08 Apr 2026 15:10:54 +0200 Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48374014a77so83859545e9.3 for ; Wed, 08 Apr 2026 06:10:54 -0700 (PDT) Received: from [10.156.60.236] (ip-037-024-206-209.um08.pools.vodafone-ip.de. [37.24.206.209]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e4d282esm58133102f8f.18.2026.04.08.06.10.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2026 06:10:53 -0700 (PDT) X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:Autocrypt:Content-Language:Cc:To:Subject:From:User-Agent:MIME-Version:Date:Message-ID" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1775653854; x=1776258654; darn=lists.xenproject.org; h=content-transfer-encoding:autocrypt:content-language:cc:to:subject :from:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=/EqXdAz4Z1r0fJ2IUFEFv5ntaUz0uYkqQDuLdrMcrSo=; b=JL7J3StYdYbIZakCkXbksjnuCN5Do61v+51QhURC23iW6R6Smz4tk0LM/TNG+DULmb m1DmfMCR3Czydd0bRW/XD8JcYkCglMZJ5iBI972yU0x2le/Au+ezE/Isozyw00Vu0hu7 sOQT46GZmU9zorPiqf8pSkL/ewcZ+nFTNbP+3KjD8nxVN1GBJSec0T8N0uoESqC+6pUg HVeaWtY/9qfpIeWDN5F8LILr+7zyM5k5NP1qCkKoqMOfRC622yISfe4tlb5kRgGmFXk7 SV1XtrKW7KTqxomiHfh1XQJhBz4+m4cj3I+SICV4wpuUPN0So5IXLDrYavh1oy4CJZsn ZTSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775653854; x=1776258654; h=content-transfer-encoding:autocrypt:content-language:cc:to:subject :from:user-agent:mime-version:date:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/EqXdAz4Z1r0fJ2IUFEFv5ntaUz0uYkqQDuLdrMcrSo=; b=J6W4saOwCEgmw9mjtmpPkoK0C8fG+gQxK+2NhbukY5wHhdMmehx/uV87dqdAmRG7Wi siB/S5u7PJps0S+hQePLt81yn12Q4RsFD0SDCZDXUODu6KWUh9B3ZgyGqtWJua+w0aZc PFZ45icfaJCgnBFYfxe02r1BEb6Ezl2eD/OHNOsGKAG36xe3jpXQWNWKRUuQi96n/uUp 1+HUl9ii2Ec7qX/7+eW9JU29HO04Vux3fpOMS1yCeyQK24+yC/B3iilbt481uqd+uoZp 9Y9EnRsCbexTsHN87d9WZ3bAn82XTGavlxxUEc0GYYrIweAHrJ4BgGZwP71G6hPG1lWM ygEg== X-Gm-Message-State: AOJu0YwT1ELjsKcU17Zue9qpDoXAABKVI7D7aVMkiIF8xxAKGrKP+81s PDCUeCewkJ2pjqxBpZvWdT7/KX8F0Emf2OagWqNx/PT4FwveUnP8MQQ2VEbzUw8nu/rRHiCZ54x 5d10crQ== X-Gm-Gg: AeBDiev0NV+K7jj54dZdE/7XIdBLzRYDyV7B62ABxO+8SG54K2p0Dls8TM6N41ksXyW VAXyitkdF3mITGHXVYf6zBw5Peh+IVjUVrbaDoLYo2PFhDU5ZEEvf9GjTth3OliEGSFhBgmyrfa oEK99SxQiX5oil5/NPZUeX4bPW0wFr6YYOsJsApYdNUAGWn4AAUQrnEQSlc8SAlZLK2DXn/yI0d o+MvNbveNLQYF2XyozKU2stkGx7rlZDVf3HkfDpXSMMJsFgeuPj5I4wY9B/qVx1rl7PLw+eqoSA KdoqiGk7hp6jQWAnjEHA/hJVGU/vMF5ixerNJPM5Bc64x7jfQg3ZX9KVUEVaQPQkrIHHqZlsmVz b6KG/cVqrX3+gsQXG53huyynpc5nVYmO+B3j7VK2CVQQifEhhLSYt9rX+VHQlLkMZ2quoWij8xb EJhd/W/3oBlIcLcRYJ/JJkGsR0wr2Bey0x2EI7LjPQUO4iPn2zOrbyHXjDpyAGPfXzOJ/38/0CB DMC0uhN50IckpPFclWU528ywQ== X-Received: by 2002:a05:600c:4593:b0:485:33ad:3c9f with SMTP id 5b1f17b1804b1-488997de1c6mr325627405e9.25.1775653854286; Wed, 08 Apr 2026 06:10:54 -0700 (PDT) Message-ID: <13f9a1c9-5722-44cc-b044-6bdbc7e845a9@suse.com> Date: Wed, 8 Apr 2026 15:10:53 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Jan Beulich Subject: Xen 4.21.1 released To: xen-announce@lists.xenproject.org Cc: "xen-devel@lists.xenproject.org" Content-Language: en-US Autocrypt: addr=jbeulich@suse.com; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-purgate-ID: tlsNG-4011c0/1775653854-0EB4D0B1-617A0B10/0/0 X-purgate-type: clean X-purgate-size: 449 All, we're pleased to announce the release of another bug fixing Xen version. (A little late, sorry.) Xen 4.21.1 is available from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.21 (tag RELEASE-4.21.1) or from the XenProject download page https://xenproject.org/resources/downloads/. We recommend all users of the 4.21 stable series to update to this first point release. Regards, Jan From xen-announce-bounces@lists.xenproject.org Fri Apr 17 17:02:47 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 17 Apr 2026 17:02:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1284579.1566276 (Exim 4.92) (envelope-from ) id 1wDmaE-0005KU-7S; Fri, 17 Apr 2026 17:02:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1284579.1566276; Fri, 17 Apr 2026 17:02:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wDmaE-0005KJ-2k; Fri, 17 Apr 2026 17:02:22 +0000 Received: by outflank-mailman (input) for mailman id 1284579; Fri, 17 Apr 2026 17:02:20 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wDmaC-0005Jz-9o; Fri, 17 Apr 2026 17:02:20 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wDmaB-000jIW-MX; Fri, 17 Apr 2026 19:02:19 +0200 Received: from [10.42.69.9] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69e2678f-bab6-0a2a0a5309dd-0a2a4509cc8a-30 for ; Fri, 17 Apr 2026 19:02:19 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-bad1c0.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69e2679a-2497-0a2a45090019-6882d725c690-3 for ; Fri, 17 Apr 2026 19:02:19 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wDma4-006TOt-20; Fri, 17 Apr 2026 17:02:12 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wDma4-007har-1n; Fri, 17 Apr 2026 17:02:12 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 488 v1 - x86: Floating Point Divider State Sampling Message-Id: Date: Fri, 17 Apr 2026 17:02:12 +0000 X-purgate-ID: tlsNG-bad1c0/1776445339-93979A53-BBDDC461/0/0 X-purgate-type: clean X-purgate-size: 17345 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-488 x86: Floating Point Divider State Sampling ISSUE DESCRIPTION ================= Researchers from the CISPA Helmholtz Center for Information Security have discovered Floating Point Divider State Sampling. It is detailed in a paper titled "TREVEX: A Black-Box Detection Framework For Data-Flow Transient Execution Vulnerabilities" For more information, see: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html https://roots.ec/blog/fpdss/ IMPACT ====== An attacker might be able to infer data belonging to other contexts, including data belonging to other guests. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Only AMD Fam17h CPUs (Zen1 microarchitecture) are believed to be vulnerable. Other AMD CPUs and CPUs from other manufacturers are not known to be affected. MITIGATION ========== There are no mitigations. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa488.patch xen-unstable - Xen 4.21.x xsa488-4.20.patch Xen 4.20.x - Xen 4.19.x xsa488-4.18.patch Xen 4.18.x xsa488-4.17.patch Xen 4.17.x $ sha256sum xsa488* 3dde61413eb75cb65fbd20b58165f673f9f4610804ec532ff0bf3c3f469454c1 xsa488.patch 7822abb0ed5a5f8e2b8697db41d46e030fd69bf8ca8cb965022484b287d9ea26 xsa488-4.17.patch 6668f9d1433863522b8554dc324f57efcfcf3e00c9261c0ee5c2db17f63bccd6 xsa488-4.18.patch 275c35d05951c4583056904869183972b9699549f0ec59f946faa92d5cef4b21 xsa488-4.20.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnhBsUMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZR90IAJ4bu4Ig/J4NOiTOPysLApkrzjyqrrDFqVvsUJe7 UDyll64Yuj4ljj25nDewGDG14EgdMJwqsWqM9gKl07eTzKnOxzzlsymyvX8BxiMt F7hlcsc2WW96jE2FMNpNUjoBTORQ6u+rYsG1J7Kv85PdM4KHivrXzXRswTQlGWBU d3VFnyQYE6jIGNGz1WXgA0/CxkdkTUAC0iN0NB6PSlurfkGCDqJEE3/LrTGWUEhI T30jEc4cCjfukI4YtrCiecCKtSUvzdiRZ+5ZLYrzOYePBOmGOXrxlFfHt4zE6mK0 J9IzVS5BJJVhXjQWZyoZdDgFKMlk6rTQy73hWyPNFyBUiY4= =xsxg -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa488.patch" Content-Disposition: attachment; filename="xsa488.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2FtZDogTWl0aWdhdGUgQU1ELVNOLTcwNTMgLyBG UC1EU1MKClRoaXMgaXMgWFNBLTQ4OCAvIENWRS0yMDI1LTU0NTA1CgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIu cGF1QGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2Nw dS9hbWQuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKaW5kZXggNDViNTVi N2E4Y2Y5Li43MTI3MzRhNmU3MjMgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4 Ni9jcHUvYW1kLmMKKysrIGIveGVuL2FyY2gveDg2L2NwdS9hbWQuYwpAQCAt OTQ3LDYgKzk0Nyw0MiBAQCB2b2lkIGFtZF9pbml0X2RlX2NmZyhjb25zdCBz dHJ1Y3QgY3B1aW5mb194ODYgKmMpCiAgICAgd3Jtc3IoTVNSX0FNRDY0X0RF X0NGRywgdmFsIHwgbmV3KTsKIH0KIAorc3RhdGljIHZvaWQgYW1kX2luaXRf ZnBfY2ZnKGNvbnN0IHN0cnVjdCBjcHVpbmZvX3g4NiAqYykKK3sKKyAgICB1 aW50NjRfdCB2YWwsIG5ldyA9IDA7CisKKyAgICAvKiBJZiB2aXJ0dWFsaXNl ZCwgd2Ugd29uJ3QgaGF2ZSBtdXRhYmxlIGFjY2VzcyBldmVuIGlmIHdlIGNh biByZWFkIGl0LiAqLworICAgIGlmICggY3B1X2hhc19oeXBlcnZpc29yICkK KyAgICAgICAgcmV0dXJuOworCisgICAgLyoKKyAgICAgKiBPbiBaZW4xLCBt aXRpZ2F0ZSBTQi03MDUzIC8gRlAtRFNTIEZsb2F0aW5nIFBvaW50IERpdmlk ZXIgU3RhdGUKKyAgICAgKiBTYW1wbGluZyBieSBzZXR0aW5nIGJpdCA5IGFz IGluc3RydWN0ZWQuCisgICAgICovCisgICAgaWYgKCBjLT5mYW1pbHkgPT0g MHgxNyAmJiBpc196ZW4xX3VhcmNoKCkgKQorICAgICAgICBuZXcgfD0gMSA8 PCA5OworCisgICAgLyoKKyAgICAgKiBBdm9pZCByZWFkaW5nIEZQX0NGRyBp ZiB3ZSBkb24ndCBpbnRlbmQgdG8gY2hhbmdlIGFueXRoaW5nLiAgVGhlCisg ICAgICogcmVnaXN0ZXIgZG9lc24ndCBleGlzdCBvbiBhbGwgZmFtaWxpZXMu CisgICAgICovCisgICAgaWYgKCAhbmV3ICkKKyAgICAgICAgcmV0dXJuOwor CisgICAgdmFsID0gcmRtc3IoTVNSX0FNRDY0X0ZQX0NGRyk7CisKKyAgICBp ZiAoICh2YWwgJiBuZXcpID09IG5ldyApCisgICAgICAgIHJldHVybjsKKwor ICAgIC8qCisgICAgICogRlBfQ0ZHIGlzIGEgQ29yZS1zY29wZWQgTVNSLCBh bmQgdGhpcyB3cml0ZSBpcyByYWN5LiAgSG93ZXZlciwgYm90aAorICAgICAq IHRocmVhZHMgY2FsY3VsYXRlIHRoZSBuZXcgdmFsdWUgZnJvbSBzdGF0ZSB3 aGljaCBleHBlY3RlZCB0byBiZQorICAgICAqIGNvbnNpc3RlbnQgYWNyb3Nz IENQVXMgYW5kIHVucmVsYXRlZCB0byB0aGUgb2xkIHZhbHVlLCBzbyB0aGUg cmVzdWx0CisgICAgICogc2hvdWxkIGJlIGNvbnNpc3RlbnQuCisgICAgICov CisgICAgd3Jtc3IoTVNSX0FNRDY0X0ZQX0NGRywgdmFsIHwgbmV3KTsKK30K Kwogdm9pZCBfX2luaXQgYW1kX2luaXRfbGZlbmNlX2Rpc3BhdGNoKHZvaWQp CiB7CiAgICAgc3RydWN0IGNwdWluZm9feDg2ICpjID0gJmJvb3RfY3B1X2Rh dGE7CkBAIC0xMDE5LDYgKzEwNTUsNyBAQCBzdGF0aWMgdm9pZCBjZl9jaGVj ayBpbml0X2FtZChzdHJ1Y3QgY3B1aW5mb194ODYgKmMpCiAJdWludDY0X3Qg dmFsdWU7CiAKIAlhbWRfaW5pdF9kZV9jZmcoYyk7CisJYW1kX2luaXRfZnBf Y2ZnKGMpOwogCiAJaWYgKGMgPT0gJmJvb3RfY3B1X2RhdGEpCiAJCWFtZF9p bml0X2xmZW5jZV9kaXNwYXRjaCgpOyAvKiBOZWVkcyBhbWRfaW5pdF9kZV9j ZmcoKSAqLwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2luY2x1ZGUvYXNt L21zci1pbmRleC5oIGIveGVuL2FyY2gveDg2L2luY2x1ZGUvYXNtL21zci1p bmRleC5oCmluZGV4IGI5MmEyNzg2MTFjYi4uYWQxYzZjOTdmOGY3IDEwMDY0 NAotLS0gYS94ZW4vYXJjaC94ODYvaW5jbHVkZS9hc20vbXNyLWluZGV4LmgK KysrIGIveGVuL2FyY2gveDg2L2luY2x1ZGUvYXNtL21zci1pbmRleC5oCkBA IC00MzEsNiArNDMxLDcgQEAKICNkZWZpbmUgTVNSX0FNRDY0X0xTX0NGRwkJ MHhjMDAxMTAyMFUKICNkZWZpbmUgTVNSX0FNRDY0X0lDX0NGRwkJMHhjMDAx MTAyMVUKICNkZWZpbmUgTVNSX0FNRDY0X0RDX0NGRwkJMHhjMDAxMTAyMlUK KyNkZWZpbmUgTVNSX0FNRDY0X0ZQX0NGRwkJMHhjMDAxMTAyOFUKICNkZWZp bmUgTVNSX0FNRDY0X0RFX0NGRwkJMHhjMDAxMTAyOVUKICNkZWZpbmUgQU1E NjRfREVfQ0ZHX0xGRU5DRV9TRVJJQUxJU0UJKF9BQygxLCBVTEwpIDw8IDEp CiAjZGVmaW5lIE1TUl9BTUQ2NF9FWF9DRkcJCTB4YzAwMTEwMmNVCg== --=separator Content-Type: application/octet-stream; name="xsa488-4.17.patch" Content-Disposition: attachment; filename="xsa488-4.17.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2FtZDogTWl0aWdhdGUgQU1ELVNOLTcwNTMgLyBG UC1EU1MKClRoaXMgaXMgWFNBLTQ4OCAvIENWRS0yMDI1LTU0NTA1CgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIu cGF1QGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2Nw dS9hbWQuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKaW5kZXggMjgzODcy NWJhYjk4Li4zMzEyZDg5NmRkOTAgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4 Ni9jcHUvYW1kLmMKKysrIGIveGVuL2FyY2gveDg2L2NwdS9hbWQuYwpAQCAt OTgyLDYgKzk4Miw0MiBAQCBzdGF0aWMgdm9pZCBjZl9jaGVjayBmYW0xN19k aXNhYmxlX2M2KHZvaWQgKmFyZykKIAl3cm1zcmwoTVNSX0FNRF9DU1RBVEVf Q0ZHLCB2YWwgJiBtYXNrKTsKIH0KIAorc3RhdGljIHZvaWQgYW1kX2luaXRf ZnBfY2ZnKGNvbnN0IHN0cnVjdCBjcHVpbmZvX3g4NiAqYykKK3sKKyAgICB1 aW50NjRfdCB2YWwsIG5ldyA9IDA7CisKKyAgICAvKiBJZiB2aXJ0dWFsaXNl ZCwgd2Ugd29uJ3QgaGF2ZSBtdXRhYmxlIGFjY2VzcyBldmVuIGlmIHdlIGNh biByZWFkIGl0LiAqLworICAgIGlmICggY3B1X2hhc19oeXBlcnZpc29yICkK KyAgICAgICAgcmV0dXJuOworCisgICAgLyoKKyAgICAgKiBPbiBaZW4xLCBt aXRpZ2F0ZSBTQi03MDUzIC8gRlAtRFNTIEZsb2F0aW5nIFBvaW50IERpdmlk ZXIgU3RhdGUKKyAgICAgKiBTYW1wbGluZyBieSBzZXR0aW5nIGJpdCA5IGFz IGluc3RydWN0ZWQuCisgICAgICovCisgICAgaWYgKCBjLT54ODYgPT0gMHgx NyAmJiBpc196ZW4xX3VhcmNoKCkgKQorICAgICAgICBuZXcgfD0gMSA8PCA5 OworCisgICAgLyoKKyAgICAgKiBBdm9pZCByZWFkaW5nIEZQX0NGRyBpZiB3 ZSBkb24ndCBpbnRlbmQgdG8gY2hhbmdlIGFueXRoaW5nLiAgVGhlCisgICAg ICogcmVnaXN0ZXIgZG9lc24ndCBleGlzdCBvbiBhbGwgZmFtaWxpZXMuCisg ICAgICovCisgICAgaWYgKCAhbmV3ICkKKyAgICAgICAgcmV0dXJuOworCisg ICAgcmRtc3JsKE1TUl9BTUQ2NF9GUF9DRkcsIHZhbCk7CisKKyAgICBpZiAo ICh2YWwgJiBuZXcpID09IG5ldyApCisgICAgICAgIHJldHVybjsKKworICAg IC8qCisgICAgICogRlBfQ0ZHIGlzIGEgQ29yZS1zY29wZWQgTVNSLCBhbmQg dGhpcyB3cml0ZSBpcyByYWN5LiAgSG93ZXZlciwgYm90aAorICAgICAqIHRo cmVhZHMgY2FsY3VsYXRlIHRoZSBuZXcgdmFsdWUgZnJvbSBzdGF0ZSB3aGlj aCBleHBlY3RlZCB0byBiZQorICAgICAqIGNvbnNpc3RlbnQgYWNyb3NzIENQ VXMgYW5kIHVucmVsYXRlZCB0byB0aGUgb2xkIHZhbHVlLCBzbyB0aGUgcmVz dWx0CisgICAgICogc2hvdWxkIGJlIGNvbnNpc3RlbnQuCisgICAgICovCisg ICAgd3Jtc3JsKE1TUl9BTUQ2NF9GUF9DRkcsIHZhbCB8IG5ldyk7Cit9CisK IHN0YXRpYyB2b2lkIGFtZF9jaGVja19lcnJhdHVtXzE0ODUodm9pZCkKIHsK IAl1aW50NjRfdCB2YWwsIGNoaWNrZW5iaXQgPSAoMSA8PCA1KTsKQEAgLTEw MDksNiArMTA0NSw4IEBAIHN0YXRpYyB2b2lkIGNmX2NoZWNrIGluaXRfYW1k KHN0cnVjdCBjcHVpbmZvX3g4NiAqYykKIAogCXVuc2lnbmVkIGxvbmcgbG9u ZyB2YWx1ZTsKIAorCWFtZF9pbml0X2ZwX2NmZyhjKTsKKwogCS8qIERpc2Fi bGUgVExCIGZsdXNoIGZpbHRlciBieSBzZXR0aW5nIEhXQ1IuRkZESVMgb24g SzgKIAkgKiBiaXQgNiBvZiBtc3IgQzAwMV8wMDE1CiAJICoKZGlmZiAtLWdp dCBhL3hlbi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9tc3ItaW5kZXguaCBiL3hl bi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9tc3ItaW5kZXguaAppbmRleCA1MjEw NzkxOTFhZjcuLmJlZDBhYjdiMjEzYyAxMDA2NDQKLS0tIGEveGVuL2FyY2gv eDg2L2luY2x1ZGUvYXNtL21zci1pbmRleC5oCisrKyBiL3hlbi9hcmNoL3g4 Ni9pbmNsdWRlL2FzbS9tc3ItaW5kZXguaApAQCAtMzg2LDYgKzM4Niw3IEBA CiAjZGVmaW5lIE1TUl9BTUQ2NF9MU19DRkcJCTB4YzAwMTEwMjAKICNkZWZp bmUgTVNSX0FNRDY0X0lDX0NGRwkJMHhjMDAxMTAyMQogI2RlZmluZSBNU1Jf QU1ENjRfRENfQ0ZHCQkweGMwMDExMDIyCisjZGVmaW5lIE1TUl9BTUQ2NF9G UF9DRkcJCTB4YzAwMTEwMjgKICNkZWZpbmUgTVNSX0FNRDY0X0RFX0NGRwkJ MHhjMDAxMTAyOQogI2RlZmluZSBBTUQ2NF9ERV9DRkdfTEZFTkNFX1NFUklB TElTRQkoX0FDKDEsIFVMTCkgPDwgMSkKICNkZWZpbmUgTVNSX0FNRDY0X0VY X0NGRwkJMHhjMDAxMTAyYwo= --=separator Content-Type: application/octet-stream; name="xsa488-4.18.patch" Content-Disposition: attachment; filename="xsa488-4.18.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2FtZDogTWl0aWdhdGUgQU1ELVNOLTcwNTMgLyBG UC1EU1MKClRoaXMgaXMgWFNBLTQ4OCAvIENWRS0yMDI1LTU0NTA1CgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIu cGF1QGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2Nw dS9hbWQuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKaW5kZXggYzQ0ODk5 N2JlNTUxLi40M2NkM2FlOWJhNGQgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4 Ni9jcHUvYW1kLmMKKysrIGIveGVuL2FyY2gveDg2L2NwdS9hbWQuYwpAQCAt MTAwOSw2ICsxMDA5LDQyIEBAIHN0YXRpYyB2b2lkIGNmX2NoZWNrIGZhbTE3 X2Rpc2FibGVfYzYodm9pZCAqYXJnKQogCXdybXNybChNU1JfQU1EX0NTVEFU RV9DRkcsIHZhbCAmIG1hc2spOwogfQogCitzdGF0aWMgdm9pZCBhbWRfaW5p dF9mcF9jZmcoY29uc3Qgc3RydWN0IGNwdWluZm9feDg2ICpjKQoreworICAg IHVpbnQ2NF90IHZhbCwgbmV3ID0gMDsKKworICAgIC8qIElmIHZpcnR1YWxp c2VkLCB3ZSB3b24ndCBoYXZlIG11dGFibGUgYWNjZXNzIGV2ZW4gaWYgd2Ug Y2FuIHJlYWQgaXQuICovCisgICAgaWYgKCBjcHVfaGFzX2h5cGVydmlzb3Ig KQorICAgICAgICByZXR1cm47CisKKyAgICAvKgorICAgICAqIE9uIFplbjEs IG1pdGlnYXRlIFNCLTcwNTMgLyBGUC1EU1MgRmxvYXRpbmcgUG9pbnQgRGl2 aWRlciBTdGF0ZQorICAgICAqIFNhbXBsaW5nIGJ5IHNldHRpbmcgYml0IDkg YXMgaW5zdHJ1Y3RlZC4KKyAgICAgKi8KKyAgICBpZiAoIGMtPng4NiA9PSAw eDE3ICYmIGlzX3plbjFfdWFyY2goKSApCisgICAgICAgIG5ldyB8PSAxIDw8 IDk7CisKKyAgICAvKgorICAgICAqIEF2b2lkIHJlYWRpbmcgRlBfQ0ZHIGlm IHdlIGRvbid0IGludGVuZCB0byBjaGFuZ2UgYW55dGhpbmcuICBUaGUKKyAg ICAgKiByZWdpc3RlciBkb2Vzbid0IGV4aXN0IG9uIGFsbCBmYW1pbGllcy4K KyAgICAgKi8KKyAgICBpZiAoICFuZXcgKQorICAgICAgICByZXR1cm47CisK KyAgICByZG1zcmwoTVNSX0FNRDY0X0ZQX0NGRywgdmFsKTsKKworICAgIGlm ICggKHZhbCAmIG5ldykgPT0gbmV3ICkKKyAgICAgICAgcmV0dXJuOworCisg ICAgLyoKKyAgICAgKiBGUF9DRkcgaXMgYSBDb3JlLXNjb3BlZCBNU1IsIGFu ZCB0aGlzIHdyaXRlIGlzIHJhY3kuICBIb3dldmVyLCBib3RoCisgICAgICog dGhyZWFkcyBjYWxjdWxhdGUgdGhlIG5ldyB2YWx1ZSBmcm9tIHN0YXRlIHdo aWNoIGV4cGVjdGVkIHRvIGJlCisgICAgICogY29uc2lzdGVudCBhY3Jvc3Mg Q1BVcyBhbmQgdW5yZWxhdGVkIHRvIHRoZSBvbGQgdmFsdWUsIHNvIHRoZSBy ZXN1bHQKKyAgICAgKiBzaG91bGQgYmUgY29uc2lzdGVudC4KKyAgICAgKi8K KyAgICB3cm1zcmwoTVNSX0FNRDY0X0ZQX0NGRywgdmFsIHwgbmV3KTsKK30K Kwogc3RhdGljIHZvaWQgYW1kX2NoZWNrX2JwX2NmZyh2b2lkKQogewogCXVp bnQ2NF90IHZhbCwgbmV3ID0gMDsKQEAgLTEwNTMsNiArMTA4OSw4IEBAIHN0 YXRpYyB2b2lkIGNmX2NoZWNrIGluaXRfYW1kKHN0cnVjdCBjcHVpbmZvX3g4 NiAqYykKIAogCXVuc2lnbmVkIGxvbmcgbG9uZyB2YWx1ZTsKIAorCWFtZF9p bml0X2ZwX2NmZyhjKTsKKwogCS8qIERpc2FibGUgVExCIGZsdXNoIGZpbHRl ciBieSBzZXR0aW5nIEhXQ1IuRkZESVMgb24gSzgKIAkgKiBiaXQgNiBvZiBt c3IgQzAwMV8wMDE1CiAJICoKZGlmZiAtLWdpdCBhL3hlbi9hcmNoL3g4Ni9p bmNsdWRlL2FzbS9tc3ItaW5kZXguaCBiL3hlbi9hcmNoL3g4Ni9pbmNsdWRl L2FzbS9tc3ItaW5kZXguaAppbmRleCBjOWY5ODBjZDU3N2YuLjUxNmVlMjZk NzA3OSAxMDA2NDQKLS0tIGEveGVuL2FyY2gveDg2L2luY2x1ZGUvYXNtL21z ci1pbmRleC5oCisrKyBiL3hlbi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9tc3It aW5kZXguaApAQCAtNDExLDYgKzQxMSw3IEBACiAjZGVmaW5lIE1TUl9BTUQ2 NF9MU19DRkcJCTB4YzAwMTEwMjAKICNkZWZpbmUgTVNSX0FNRDY0X0lDX0NG RwkJMHhjMDAxMTAyMQogI2RlZmluZSBNU1JfQU1ENjRfRENfQ0ZHCQkweGMw MDExMDIyCisjZGVmaW5lIE1TUl9BTUQ2NF9GUF9DRkcJCTB4YzAwMTEwMjgK ICNkZWZpbmUgTVNSX0FNRDY0X0RFX0NGRwkJMHhjMDAxMTAyOQogI2RlZmlu ZSBBTUQ2NF9ERV9DRkdfTEZFTkNFX1NFUklBTElTRQkoX0FDKDEsIFVMTCkg PDwgMSkKICNkZWZpbmUgTVNSX0FNRDY0X0VYX0NGRwkJMHhjMDAxMTAyYwo= --=separator Content-Type: application/octet-stream; name="xsa488-4.20.patch" Content-Disposition: attachment; filename="xsa488-4.20.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmV3IENvb3BlciA8YW5kcmV3LmNvb3BlcjNAY2l0cml4LmNv bT4KU3ViamVjdDogeDg2L2FtZDogTWl0aWdhdGUgQU1ELVNOLTcwNTMgLyBG UC1EU1MKClRoaXMgaXMgWFNBLTQ4OCAvIENWRS0yMDI1LTU0NTA1CgpTaWdu ZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRy aXguY29tPgpSZXZpZXdlZC1ieTogUm9nZXIgUGF1IE1vbm7DqSA8cm9nZXIu cGF1QGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2Nw dS9hbWQuYyBiL3hlbi9hcmNoL3g4Ni9jcHUvYW1kLmMKaW5kZXggZDUwNjlh N2VjMThlLi40Mzg4M2UwNGRiYjkgMTAwNjQ0Ci0tLSBhL3hlbi9hcmNoL3g4 Ni9jcHUvYW1kLmMKKysrIGIveGVuL2FyY2gveDg2L2NwdS9hbWQuYwpAQCAt OTgyLDYgKzk4Miw0MiBAQCB2b2lkIGFtZF9pbml0X2RlX2NmZyhjb25zdCBz dHJ1Y3QgY3B1aW5mb194ODYgKmMpCiAgICAgd3Jtc3JsKE1TUl9BTUQ2NF9E RV9DRkcsIHZhbCB8IG5ldyk7CiB9CiAKK3N0YXRpYyB2b2lkIGFtZF9pbml0 X2ZwX2NmZyhjb25zdCBzdHJ1Y3QgY3B1aW5mb194ODYgKmMpCit7CisgICAg dWludDY0X3QgdmFsLCBuZXcgPSAwOworCisgICAgLyogSWYgdmlydHVhbGlz ZWQsIHdlIHdvbid0IGhhdmUgbXV0YWJsZSBhY2Nlc3MgZXZlbiBpZiB3ZSBj YW4gcmVhZCBpdC4gKi8KKyAgICBpZiAoIGNwdV9oYXNfaHlwZXJ2aXNvciAp CisgICAgICAgIHJldHVybjsKKworICAgIC8qCisgICAgICogT24gWmVuMSwg bWl0aWdhdGUgU0ItNzA1MyAvIEZQLURTUyBGbG9hdGluZyBQb2ludCBEaXZp ZGVyIFN0YXRlCisgICAgICogU2FtcGxpbmcgYnkgc2V0dGluZyBiaXQgOSBh cyBpbnN0cnVjdGVkLgorICAgICAqLworICAgIGlmICggYy0+eDg2ID09IDB4 MTcgJiYgaXNfemVuMV91YXJjaCgpICkKKyAgICAgICAgbmV3IHw9IDEgPDwg OTsKKworICAgIC8qCisgICAgICogQXZvaWQgcmVhZGluZyBGUF9DRkcgaWYg d2UgZG9uJ3QgaW50ZW5kIHRvIGNoYW5nZSBhbnl0aGluZy4gIFRoZQorICAg ICAqIHJlZ2lzdGVyIGRvZXNuJ3QgZXhpc3Qgb24gYWxsIGZhbWlsaWVzLgor ICAgICAqLworICAgIGlmICggIW5ldyApCisgICAgICAgIHJldHVybjsKKwor ICAgIHJkbXNybChNU1JfQU1ENjRfRlBfQ0ZHLCB2YWwpOworCisgICAgaWYg KCAodmFsICYgbmV3KSA9PSBuZXcgKQorICAgICAgICByZXR1cm47CisKKyAg ICAvKgorICAgICAqIEZQX0NGRyBpcyBhIENvcmUtc2NvcGVkIE1TUiwgYW5k IHRoaXMgd3JpdGUgaXMgcmFjeS4gIEhvd2V2ZXIsIGJvdGgKKyAgICAgKiB0 aHJlYWRzIGNhbGN1bGF0ZSB0aGUgbmV3IHZhbHVlIGZyb20gc3RhdGUgd2hp Y2ggZXhwZWN0ZWQgdG8gYmUKKyAgICAgKiBjb25zaXN0ZW50IGFjcm9zcyBD UFVzIGFuZCB1bnJlbGF0ZWQgdG8gdGhlIG9sZCB2YWx1ZSwgc28gdGhlIHJl c3VsdAorICAgICAqIHNob3VsZCBiZSBjb25zaXN0ZW50LgorICAgICAqLwor ICAgIHdybXNybChNU1JfQU1ENjRfRlBfQ0ZHLCB2YWwgfCBuZXcpOworfQor CiB2b2lkIF9faW5pdCBhbWRfaW5pdF9sZmVuY2VfZGlzcGF0Y2godm9pZCkK IHsKICAgICBzdHJ1Y3QgY3B1aW5mb194ODYgKmMgPSAmYm9vdF9jcHVfZGF0 YTsKQEAgLTEwNTUsNiArMTA5MSw3IEBAIHN0YXRpYyB2b2lkIGNmX2NoZWNr IGluaXRfYW1kKHN0cnVjdCBjcHVpbmZvX3g4NiAqYykKIAl1bnNpZ25lZCBs b25nIGxvbmcgdmFsdWU7CiAKIAlhbWRfaW5pdF9kZV9jZmcoYyk7CisJYW1k X2luaXRfZnBfY2ZnKGMpOwogCiAJaWYgKGMgPT0gJmJvb3RfY3B1X2RhdGEp CiAJCWFtZF9pbml0X2xmZW5jZV9kaXNwYXRjaCgpOyAvKiBOZWVkcyBhbWRf aW5pdF9kZV9jZmcoKSAqLwpkaWZmIC0tZ2l0IGEveGVuL2FyY2gveDg2L2lu Y2x1ZGUvYXNtL21zci1pbmRleC5oIGIveGVuL2FyY2gveDg2L2luY2x1ZGUv YXNtL21zci1pbmRleC5oCmluZGV4IDZmMmMzMTQ3ZTM0My4uNzBlNWYwOWEy ZGU0IDEwMDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaW5jbHVkZS9hc20vbXNy LWluZGV4LmgKKysrIGIveGVuL2FyY2gveDg2L2luY2x1ZGUvYXNtL21zci1p bmRleC5oCkBAIC00MTEsNiArNDExLDcgQEAKICNkZWZpbmUgTVNSX0FNRDY0 X0xTX0NGRwkJMHhjMDAxMTAyMFUKICNkZWZpbmUgTVNSX0FNRDY0X0lDX0NG RwkJMHhjMDAxMTAyMVUKICNkZWZpbmUgTVNSX0FNRDY0X0RDX0NGRwkJMHhj MDAxMTAyMlUKKyNkZWZpbmUgTVNSX0FNRDY0X0ZQX0NGRwkJMHhjMDAxMTAy OFUKICNkZWZpbmUgTVNSX0FNRDY0X0RFX0NGRwkJMHhjMDAxMTAyOVUKICNk ZWZpbmUgQU1ENjRfREVfQ0ZHX0xGRU5DRV9TRVJJQUxJU0UJKF9BQygxLCBV TEwpIDw8IDEpCiAjZGVmaW5lIE1TUl9BTUQ2NF9FWF9DRkcJCTB4YzAwMTEw MmNVCg== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Apr 28 12:02:02 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Apr 2026 12:02:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1295646.1572328 (Exim 4.92) (envelope-from ) id 1wHh8P-0005N4-8C; Tue, 28 Apr 2026 12:01:49 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1295646.1572328; Tue, 28 Apr 2026 12:01:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8P-0005Mu-4v; Tue, 28 Apr 2026 12:01:49 +0000 Received: by outflank-mailman (input) for mailman id 1295646; Tue, 28 Apr 2026 12:01:47 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8N-0005KI-IA; Tue, 28 Apr 2026 12:01:47 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wHh8M-001YJf-TU; Tue, 28 Apr 2026 14:01:46 +0200 Received: from [10.42.69.2] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f0a1aa-2eae-0a2a0a5409dd-0a2a4502edb0-2 for ; Tue, 28 Apr 2026 14:01:46 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-720697.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f0a1a9-af86-0a2a45020019-6882d725a1ea-3 for ; Tue, 28 Apr 2026 14:01:46 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wHh8D-0064Zp-2a; Tue, 28 Apr 2026 12:01:37 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wHh8D-006n15-2O; Tue, 28 Apr 2026 12:01:37 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command Message-Id: Date: Tue, 28 Apr 2026 12:01:37 +0000 X-purgate-ID: tlsNG-720697/1777377706-8256B161-7610114D/0/0 X-purgate-type: clean X-purgate-size: 11272 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23557 / XSA-484 version 2 Xenstored DoS via XS_RESET_WATCHES command UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen. IMPACT ====== Any unprivileged domain can cause xenstored to crash, causing a DoS (denial of service) for any Xenstore action. This will result in an inability to perform further domain administration on the host. VULNERABLE SYSTEMS ================== All Xen systems from Xen 4.2 onwards are vulnerable. Systems up to Xen 4.1 are not vulnerable. Systems using the C variant of xenstored or xenstore-stubdom built without NDEBUG are vulnerable. Systems using the OCaml variant of Xenstore (oxenstored), or the C variant (xenstored or xenstore-stubdom) built with NDEBUG defined are not vulnerable. MITIGATION ========== There is no known mitigation available. CREDITS ======= This issue was discovered by Andrii Sultanov of Vates. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa484.patch xen-unstable - Xen 4.18.x xsa484-4.17.patch Xen 4.17.x $ sha256sum xsa484* 77c489191d40acd807eb19344a0e1bbb67a04551e89aff726fbb2006f235aacf xsa484.patch 6c8d8146d136956c59ee77da6aa6340272d1ea670a6b0d9cf37fe759d4b96b19 xsa484-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZGVoIALBKECpaWxXD7ivkbFpFlmt9a2TOXxnD1LjbSnzI VAdyFECK4ng0uRaUXHMcd0Dkzw+dOrm/SA7jI+brumyyxsO44eLz5fysAQYXDHca qsn5h7To34Fow8ejQIt1E9DmqNlZP7Y261MhYSdWN6Z2lEa4cMPyJKA/xTpQ2uUq Cy9Ss7jrl/v98MOZb2Tkn+H8XiNsPJb57sWeaOPoUMh+42y/5qMyRgqWa3/N3iHn ZVZEhTbrNvGYKW+DUq5KswUjxw9FAmtQ1PA/w3ItWWdsb0Gd8AE02FzdIuoIt/xk zB9BEchspV1Gfouz0alFV+d4gDyclQmmViYojNfXYfKdWp8= =j/SA -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa484.patch" Content-Disposition: attachment; filename="xsa484.patch" Content-Transfer-Encoding: base64 RnJvbSAzZDBkMTlhZDE3ZjI5YzY0ZGRlNGE3YmFmMzkyZGE0ZmQ1OGYzNjU0 IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWVyZ2VuIEdyb3Nz IDxqZ3Jvc3NAc3VzZS5jb20+CkRhdGU6IE1vbiwgMTYgTWFyIDIwMjYgMTU6 MDY6MTEgKzAxMDAKU3ViamVjdDogW1BBVENIXSB0b29scy94ZW5zdG9yZWQ6 IG1ha2UgY29ubl9kZWxldGVfYWxsX3RyYW5zYWN0aW9ucygpCiBpZGVtcG90 ZW50Cgpjb25uX2RlbGV0ZV9hbGxfdHJhbnNhY3Rpb25zKCkgc2hvdWxkIGJl IGNhbGxhYmxlIGluIGFueSBjb250ZXh0LApyZXNldHRpbmcgQUxMIHRyYW5z YWN0aW9uIHJlbGF0ZWQgZGF0YS4KClRoaXMgaW5jbHVkZXMgbnVtYmVyIG9m IGFjdGl2ZSB0cmFuc2FjdGlvbnMgYW5kIHRoZSB0cmFuc2FjdGlvbgpwb2lu dGVyIGluIHN0cnVjdCBjb25uZWN0aW9uLgoKU28gcmVzZXQgY29ubi0+dHJh bnMgdG8gTlVMTCBpbiBjb25uX2RlbGV0ZV9hbGxfdHJhbnNhY3Rpb25zKCkg YW5kCmRvIHRoZSBjbGVhbnVwIGZvciBlYWNoIHRyYW5zYWN0aW9uIGluIGRl c3Ryb3lfdHJhbnNhY3Rpb24oKS4KClRoaXMgYXZvaWRzIHRyaWdnZXJpbmcg dGhlIGFzc2VydCgpIGluIGNvbm5fZGVsZXRlX2FsbF90cmFuc2FjdGlvbnMo KQppbiBjYXNlIGUuZy4gaWdub3JlX2Nvbm5lY3Rpb24oKSB3YXMgY2FsbGVk IHdoaWxlIGFuIG9wZXJhdGlvbiBpbnNpZGUKYSB0cmFuc2FjdGlvbiB3YXMg cGVyZm9ybWVkLCBvciBYU19SRVNFVF9XQVRDSEVTIHdhcyBjYWxsZWQgaW4g YQp0cmFuc2FjdGlvbi4KClRoaXMgaXMgWFNBLTQ4NCAvIENWRS0yMDI2LTIz NTU3LgoKUmVwb3J0ZWQtYnk6IEFuZHJpaSBTdWx0YW5vdiA8YW5kcml5LnN1 bHRhbm92QHZhdGVzLnRlY2g+CkZpeGVzOiAxZjlkMDRmYjAyMWMgKCJ4ZW5z dG9yZWQ6IGFsbG93IGd1ZXN0IHRvIHNodXRkb3duIGFsbCBpdHMgd2F0Y2hl cy90cmFuc2FjdGlvbnMiKQpTaWduZWQtb2ZmLWJ5OiBKdWVyZ2VuIEdyb3Nz IDxqZ3Jvc3NAc3VzZS5jb20+Ci0tLQogdG9vbHMveGVuc3RvcmVkL3RyYW5z YWN0aW9uLmMgfCAyMCArKysrKysrKystLS0tLS0tLS0tLQogMSBmaWxlIGNo YW5nZWQsIDkgaW5zZXJ0aW9ucygrKSwgMTEgZGVsZXRpb25zKC0pCgpkaWZm IC0tZ2l0IGEvdG9vbHMveGVuc3RvcmVkL3RyYW5zYWN0aW9uLmMgYi90b29s cy94ZW5zdG9yZWQvdHJhbnNhY3Rpb24uYwppbmRleCAxNjdjZDU5N2ZkLi4w ODI1YzQ4ODU5IDEwMDY0NAotLS0gYS90b29scy94ZW5zdG9yZWQvdHJhbnNh Y3Rpb24uYworKysgYi90b29scy94ZW5zdG9yZWQvdHJhbnNhY3Rpb24uYwpA QCAtNDMyLDE3ICs0MzIsMjMgQEAgc3RhdGljIGludCBmaW5hbGl6ZV90cmFu c2FjdGlvbihzdHJ1Y3QgY29ubmVjdGlvbiAqY29ubiwKIHN0YXRpYyBpbnQg ZGVzdHJveV90cmFuc2FjdGlvbih2b2lkICpfdHJhbnNhY3Rpb24pCiB7CiAJ c3RydWN0IHRyYW5zYWN0aW9uICp0cmFucyA9IF90cmFuc2FjdGlvbjsKKwlz dHJ1Y3QgY29ubmVjdGlvbiAqY29ubiA9IHRyYW5zLT5jb25uOwogCXN0cnVj dCBhY2Nlc3NlZF9ub2RlICppOwogCiAJd3JsX250cmFuc2FjdGlvbnMtLTsK IAl0cmFjZV9kZXN0cm95KHRyYW5zLCAidHJhbnNhY3Rpb24iKTsKIAl3aGls ZSAoKGkgPSBsaXN0X3RvcCgmdHJhbnMtPmFjY2Vzc2VkLCBzdHJ1Y3QgYWNj ZXNzZWRfbm9kZSwgbGlzdCkpKSB7CiAJCWlmIChpLT50YV9ub2RlKQotCQkJ ZGJfZGVsZXRlKHRyYW5zLT5jb25uLCBpLT50cmFuc19uYW1lLCBOVUxMKTsK KwkJCWRiX2RlbGV0ZShjb25uLCBpLT50cmFuc19uYW1lLCBOVUxMKTsKIAkJ bGlzdF9kZWwoJmktPmxpc3QpOwogCQl0YWxsb2NfZnJlZShpKTsKIAl9CiAK KwlsaXN0X2RlbCgmdHJhbnMtPmxpc3QpOworCWRvbWFpbl90cmFuc2FjdGlv bl9kZWMoY29ubik7CisJaWYgKGxpc3RfZW1wdHkoJmNvbm4tPnRyYW5zYWN0 aW9uX2xpc3QpKQorCQljb25uLT50YV9zdGFydF90aW1lID0gMDsKKwogCXJl dHVybiAwOwogfQogCkBAIC01MjMsMTAgKzUyOSw2IEBAIGludCBkb190cmFu c2FjdGlvbl9lbmQoY29uc3Qgdm9pZCAqY3R4LCBzdHJ1Y3QgY29ubmVjdGlv biAqY29ubiwKIAkJcmV0dXJuIEVOT0VOVDsKIAogCWNvbm4tPnRyYW5zYWN0 aW9uID0gTlVMTDsKLQlsaXN0X2RlbCgmdHJhbnMtPmxpc3QpOwotCWRvbWFp bl90cmFuc2FjdGlvbl9kZWMoY29ubik7Ci0JaWYgKGxpc3RfZW1wdHkoJmNv bm4tPnRyYW5zYWN0aW9uX2xpc3QpKQotCQljb25uLT50YV9zdGFydF90aW1l ID0gMDsKIAogCWNoa19xdW90YSA9IHRyYW5zLT5ub2RlX2NyZWF0ZWQgJiYg ZG9tYWluX2lzX3VucHJpdmlsZWdlZChjb25uKTsKIApAQCAtNTcyLDE0ICs1 NzQsMTAgQEAgdm9pZCBjb25uX2RlbGV0ZV9hbGxfdHJhbnNhY3Rpb25zKHN0 cnVjdCBjb25uZWN0aW9uICpjb25uKQogCXN0cnVjdCB0cmFuc2FjdGlvbiAq dHJhbnM7CiAKIAl3aGlsZSAoKHRyYW5zID0gbGlzdF90b3AoJmNvbm4tPnRy YW5zYWN0aW9uX2xpc3QsCi0JCQkJIHN0cnVjdCB0cmFuc2FjdGlvbiwgbGlz dCkpKSB7Ci0JCWxpc3RfZGVsKCZ0cmFucy0+bGlzdCk7CisJCQkJIHN0cnVj dCB0cmFuc2FjdGlvbiwgbGlzdCkpKQogCQl0YWxsb2NfZnJlZSh0cmFucyk7 Ci0JfQotCi0JYXNzZXJ0KGNvbm4tPnRyYW5zYWN0aW9uID09IE5VTEwpOwog Ci0JY29ubi0+dGFfc3RhcnRfdGltZSA9IDA7CisJY29ubi0+dHJhbnNhY3Rp b24gPSBOVUxMOwogfQogCiBpbnQgY2hlY2tfdHJhbnNhY3Rpb25zKHN0cnVj dCBoYXNodGFibGUgKmhhc2gpCi0tIAoyLjUzLjAKCg== --=separator Content-Type: application/octet-stream; name="xsa484-4.17.patch" Content-Disposition: attachment; filename="xsa484-4.17.patch" Content-Transfer-Encoding: base64 RnJvbTogSnVlcmdlbiBHcm9zcyA8amdyb3NzQHN1c2UuY29tPgpTdWJqZWN0 OiB0b29scy94ZW5zdG9yZWQ6IG1ha2UgY29ubl9kZWxldGVfYWxsX3RyYW5z YWN0aW9ucygpIGlkZW1wb3RlbnQKCmNvbm5fZGVsZXRlX2FsbF90cmFuc2Fj dGlvbnMoKSBzaG91bGQgYmUgY2FsbGFibGUgaW4gYW55IGNvbnRleHQsCnJl c2V0dGluZyBBTEwgdHJhbnNhY3Rpb24gcmVsYXRlZCBkYXRhLgoKVGhpcyBp bmNsdWRlcyBudW1iZXIgb2YgYWN0aXZlIHRyYW5zYWN0aW9ucyBhbmQgdGhl IHRyYW5zYWN0aW9uCnBvaW50ZXIgaW4gc3RydWN0IGNvbm5lY3Rpb24uCgpT byByZXNldCBjb25uLT50cmFucyB0byBOVUxMIGluIGNvbm5fZGVsZXRlX2Fs bF90cmFuc2FjdGlvbnMoKSBhbmQKZG8gdGhlIGNsZWFudXAgZm9yIGVhY2gg dHJhbnNhY3Rpb24gaW4gZGVzdHJveV90cmFuc2FjdGlvbigpLgoKVGhpcyBh dm9pZHMgdHJpZ2dlcmluZyB0aGUgYXNzZXJ0KCkgaW4gY29ubl9kZWxldGVf YWxsX3RyYW5zYWN0aW9ucygpCmluIGNhc2UgZS5nLiBpZ25vcmVfY29ubmVj dGlvbigpIHdhcyBjYWxsZWQgd2hpbGUgYW4gb3BlcmF0aW9uIGluc2lkZQph IHRyYW5zYWN0aW9uIHdhcyBwZXJmb3JtZWQsIG9yIFhTX1JFU0VUX1dBVENI RVMgd2FzIGNhbGxlZCBpbiBhCnRyYW5zYWN0aW9uLgoKVGhpcyBpcyBYU0Et NDg0IC8gQ1ZFLTIwMjYtMjM1NTcuCgpSZXBvcnRlZC1ieTogQW5kcmlpIFN1 bHRhbm92IDxhbmRyaXkuc3VsdGFub3ZAdmF0ZXMudGVjaD4KRml4ZXM6IDFm OWQwNGZiMDIxYyAoInhlbnN0b3JlZDogYWxsb3cgZ3Vlc3QgdG8gc2h1dGRv d24gYWxsIGl0cyB3YXRjaGVzL3RyYW5zYWN0aW9ucyIpClNpZ25lZC1vZmYt Ynk6IEp1ZXJnZW4gR3Jvc3MgPGpncm9zc0BzdXNlLmNvbT4KCi0tLSBhL3Rv b2xzL3hlbnN0b3JlL3hlbnN0b3JlZF90cmFuc2FjdGlvbi5jCisrKyBiL3Rv b2xzL3hlbnN0b3JlL3hlbnN0b3JlZF90cmFuc2FjdGlvbi5jCkBAIC00NDUs NiArNDQ1LDcgQEAgc3RhdGljIGludCBmaW5hbGl6ZV90cmFuc2FjdGlvbihz dHJ1Y3QgYwogc3RhdGljIGludCBkZXN0cm95X3RyYW5zYWN0aW9uKHZvaWQg Kl90cmFuc2FjdGlvbikKIHsKIAlzdHJ1Y3QgdHJhbnNhY3Rpb24gKnRyYW5z ID0gX3RyYW5zYWN0aW9uOworCXN0cnVjdCBjb25uZWN0aW9uICpjb25uID0g dHJhbnMtPmNvbm47CiAJc3RydWN0IGFjY2Vzc2VkX25vZGUgKmk7CiAJVERC X0RBVEEga2V5OwogCkBAIC00NTMsMTIgKzQ1NCwxNyBAQCBzdGF0aWMgaW50 IGRlc3Ryb3lfdHJhbnNhY3Rpb24odm9pZCAqX3RyCiAJd2hpbGUgKChpID0g bGlzdF90b3AoJnRyYW5zLT5hY2Nlc3NlZCwgc3RydWN0IGFjY2Vzc2VkX25v ZGUsIGxpc3QpKSkgewogCQlpZiAoaS0+dGFfbm9kZSkgewogCQkJc2V0X3Rk Yl9rZXkoaS0+dHJhbnNfbmFtZSwgJmtleSk7Ci0JCQlkb190ZGJfZGVsZXRl KHRyYW5zLT5jb25uLCAma2V5LCBOVUxMKTsKKwkJCWRvX3RkYl9kZWxldGUo Y29ubiwgJmtleSwgTlVMTCk7CiAJCX0KIAkJbGlzdF9kZWwoJmktPmxpc3Qp OwogCQl0YWxsb2NfZnJlZShpKTsKIAl9CiAKKwlsaXN0X2RlbCgmdHJhbnMt Pmxpc3QpOworCWNvbm4tPnRyYW5zYWN0aW9uX3N0YXJ0ZWQtLTsKKwlpZiAo IWNvbm4tPnRyYW5zYWN0aW9uX3N0YXJ0ZWQpCisJCWNvbm4tPnRhX3N0YXJ0 X3RpbWUgPSAwOworCiAJcmV0dXJuIDA7CiB9CiAKQEAgLTU2MSwxMCArNTY3 LDYgQEAgaW50IGRvX3RyYW5zYWN0aW9uX2VuZChjb25zdCB2b2lkICpjdHgs CiAJCXJldHVybiBFTk9FTlQ7CiAKIAljb25uLT50cmFuc2FjdGlvbiA9IE5V TEw7Ci0JbGlzdF9kZWwoJnRyYW5zLT5saXN0KTsKLQljb25uLT50cmFuc2Fj dGlvbl9zdGFydGVkLS07Ci0JaWYgKCFjb25uLT50cmFuc2FjdGlvbl9zdGFy dGVkKQotCQljb25uLT50YV9zdGFydF90aW1lID0gMDsKIAogCWNoa19xdW90 YSA9IHRyYW5zLT5ub2RlX2NyZWF0ZWQgJiYgZG9tYWluX2lzX3VucHJpdmls ZWdlZChjb25uKTsKIApAQCAtNjQ2LDE1ICs2NDgsMTEgQEAgdm9pZCBjb25u X2RlbGV0ZV9hbGxfdHJhbnNhY3Rpb25zKHN0cnVjdAogCXN0cnVjdCB0cmFu c2FjdGlvbiAqdHJhbnM7CiAKIAl3aGlsZSAoKHRyYW5zID0gbGlzdF90b3Ao JmNvbm4tPnRyYW5zYWN0aW9uX2xpc3QsCi0JCQkJIHN0cnVjdCB0cmFuc2Fj dGlvbiwgbGlzdCkpKSB7Ci0JCWxpc3RfZGVsKCZ0cmFucy0+bGlzdCk7CisJ CQkJIHN0cnVjdCB0cmFuc2FjdGlvbiwgbGlzdCkpKQogCQl0YWxsb2NfZnJl ZSh0cmFucyk7Ci0JfQotCi0JYXNzZXJ0KGNvbm4tPnRyYW5zYWN0aW9uID09 IE5VTEwpOwogCiAJY29ubi0+dHJhbnNhY3Rpb25fc3RhcnRlZCA9IDA7Ci0J Y29ubi0+dGFfc3RhcnRfdGltZSA9IDA7CisJY29ubi0+dHJhbnNhY3Rpb24g PSBOVUxMOwogfQogCiBpbnQgY2hlY2tfdHJhbnNhY3Rpb25zKHN0cnVjdCBo YXNodGFibGUgKmhhc2gpCg== --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Apr 28 12:02:02 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Apr 2026 12:02:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1295655.1572408 (Exim 4.92) (envelope-from ) id 1wHh8b-0007ZH-75; Tue, 28 Apr 2026 12:02:01 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1295655.1572408; Tue, 28 Apr 2026 12:02:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8b-0007Z4-2o; Tue, 28 Apr 2026 12:02:01 +0000 Received: by outflank-mailman (input) for mailman id 1295655; Tue, 28 Apr 2026 12:01:59 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8Y-0007SF-NM; Tue, 28 Apr 2026 12:01:58 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wHh8Y-004jfL-3B; Tue, 28 Apr 2026 14:01:58 +0200 Received: from [10.42.69.4] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f0a1af-e002-0a2a0a5209dd-0a2a450496cc-42 for ; Tue, 28 Apr 2026 14:01:58 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-ebf023.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f0a1b4-1dec-0a2a45040019-6882d725a9c0-3 for ; Tue, 28 Apr 2026 14:01:57 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wHh8N-0064aR-0U; Tue, 28 Apr 2026 12:01:47 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wHh8N-006n3C-0N; Tue, 28 Apr 2026 12:01:47 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping Message-Id: Date: Tue, 28 Apr 2026 12:01:47 +0000 X-purgate-ID: tlsNG-ebf023/1777377718-3144B3FF-30DF8368/0/0 X-purgate-type: clean X-purgate-size: 20327 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23558 / XSA-486 version 2 grant table v2 race in status page mapping UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables. IMPACT ====== Privilege escalation, information leaks, and Denial of Service (DoS) up to affecting the entire host cannot be excluded. VULNERABLE SYSTEMS ================== All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and older are not affected. Only x86 HVM and PVH guests permitted to use grant table version 2 interfaces can leverage this vulnerability. x86 PV guests cannot leverage this vulnerability. On Arm, grant table v2 use is explicitly unsupported. MITIGATION ========== Using the "gnttab=max-ver:1" hypervisor command line option will avoid the vulnerability. Using the "max_grant_version=1" guest configuration option for HVM and PVH guests will also avoid the vulnerability. CREDITS ======= This issue was discovered by Claude Opus 4.6 and diagnosed as a security issue by Rafal Wojtczuk. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa486.patch xen-unstable - Xen 4.19.x xsa486-4.18.patch Xen 4.18.x - Xen 4.17.x $ sha256sum xsa486* 0bc1336f0d8de463e30a920bb900b0199a79b4cc19af72e64cfb60504fa6599d xsa486.patch 3fa23326a2761eba62e661fa052c1cd6b69041ea6752ed573ab240ebcdffedf8 xsa486-4.18.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public- facing systems with untrusted guest users and administrators. HOWEVER, deployment of the mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because restricting the available grant table version is a guest visible configuration change, which may lead to re-discovery of the issue. Deployment of this mitigation is permitted only AFTER the embargo ends. AND: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQMMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZKXgH/1/L4sRCjLuuwnugfhgcfYdOwFfWEsBGhxsuYTHT 61mqh8Ft4asiPf0qSUJzcWCpfKCB8aGBAEWDj7Hle+yAgYZ22Inf4j2emfcehXiu hkKJ+2VgYs0C4xK1mOrPysxXha9pbyNvEHBJP794QitUYIzuJzeNAcKPmzR10rZ3 jEpyLC41sGiftIB/jq579Mrvz2cp02l2L77+zeWogl7ZMLPs+GbRoF1chTrIo9DU Rt9WJnF7hD+elk280nwO2N6OCgrEVRmSR6AjsGb3E6JGUmZYJ6ZTtEaV+2TBiCXH rfrJGwftJLp6a54RRDPjK709itzppJGPG/ur2rrIRxenRcY= =1e9B -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa486.patch" Content-Disposition: attachment; filename="xsa486.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBnbnR0YWI6IHNwbGl0IGdudHRhYl9tYXBfZnJhbWUoKQoKSWYgYSBkb21h aW4gdHJpZXMgdG8gbWFwIHN0YXR1cyBmcmFtZXMgaW4gcGFyYWxsZWwgdG8g c3dpdGNoaW5nIGdyYW50CnRhYmxlIHZlcnNpb24gZnJvbSAyIHRvIDEsIHRo ZSBtYXBwaW5nIG9wZXJhdGlvbiBtYXkgcHV0IGluIHBsYWNlIFAyTQplbnRy aWVzIHJlZmVyZW5jaW5nIE1GTnMgd2hpY2ggZ250dGFiX3VucG9wdWxhdGVf c3RhdHVzX2ZyYW1lcygpIGlzIGluIHRoZQpwcm9jZXNzIG9mIGZyZWVpbmcu CgpJZGVhbGx5IHdlIHdvdWxkIHJlZmNvdW50IHBhZ2VzIHdoZW4gZW50ZXJl ZCBpbnRvIFAyTSB0YWJsZXMsIGJ1dCB0aGF0J3MgYQpzaWduaWZpY2FudCBj aGFuZ2UuIEV4dGVuZCB0aGUgZ3JhbnQtdGFibGUtbG9ja2VkIHJlZ2lvbiBp bnN0ZWFkIGluCnhlbm1lbV9hZGRfdG9fcGh5c21hcF9vbmUoKSAoYmVpbmcg dGhlIHNvbGUgY2FsbGVyIG9mIGdudHRhYl9tYXBfZnJhbWUoKSksCnN1Y2gg dGhhdCBhIHJhY2Ugd2l0aCBnbnR0YWJfdW5wb3B1bGF0ZV9zdGF0dXNfZnJh bWVzKCkgaXMgbm8gbG9uZ2VyCnBvc3NpYmxlLgoKVGhpcyBpcyBYU0EtNDg2 IC8gQ1ZFLTIwMjYtMjM1NTguCgpGaXhlczogNWNlOGZhZmE5NDdjICgiRHlu YW1pYyBncmFudC10YWJsZSBzaXppbmciKQpGaXhlczogYTk4ZGMxMzcwM2Uw ICgiSW50cm9kdWNlIGEgZ3JhbnRfZW50cnlfdjIgc3RydWN0dXJlIikKUmVw b3J0ZWQtYnk6IFJhZmFsIFdvanRjenVrIDxyYWZhbC53b2p0Y3p1a0A3YnVs bHMuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBSb2dlciBQYXUgTW9ubsOpIDxyb2dl ci5wYXVAY2l0cml4LmNvbT4KCi0tLSBhL3hlbi9hcmNoL2FybS9tbS5jCisr KyBiL3hlbi9hcmNoL2FybS9tbS5jCkBAIC0xNzQsMTIgKzE3NCwxMCBAQCBp bnQgeGVubWVtX2FkZF90b19waHlzbWFwX29uZSgKICAgICBzd2l0Y2ggKCBz cGFjZSApCiAgICAgewogICAgIGNhc2UgWEVOTUFQU1BBQ0VfZ3JhbnRfdGFi bGU6Ci0gICAgICAgIHJjID0gZ250dGFiX21hcF9mcmFtZShkLCBpZHgsIGdm biwgJm1mbik7CisgICAgICAgIHJjID0gZ250dGFiX21hcF9mcmFtZV9iZWdp bihkLCBpZHgsIGdmbiwgJm1mbik7CiAgICAgICAgIGlmICggcmMgKQogICAg ICAgICAgICAgcmV0dXJuIHJjOwogCi0gICAgICAgIC8qIE5lZWQgdG8gdGFr ZSBjYXJlIG9mIHRoZSByZWZlcmVuY2Ugb2J0YWluZWQgaW4gZ250dGFiX21h cF9mcmFtZSgpLiAqLwotICAgICAgICBwYWdlID0gbWZuX3RvX3BhZ2UobWZu KTsKICAgICAgICAgdCA9IHAybV9yYW1fcnc7CiAKICAgICAgICAgYnJlYWs7 CkBAIC0yODEsMTAgKzI3OSwyMyBAQCBpbnQgeGVubWVtX2FkZF90b19waHlz bWFwX29uZSgKICAgICAgKiB0byBkcm9wIHRoZSByZWZlcmVuY2Ugd2UgdG9v ayBlYXJsaWVyLiBJbiBhbGwgb3RoZXIgY2FzZXMgd2UgbmVlZCB0bwogICAg ICAqIGRyb3AgYW55IHJlZmVyZW5jZSB3ZSB0b29rIGVhcmxpZXIgKHBlcmhh cHMgaW5kaXJlY3RseSkuCiAgICAgICovCi0gICAgaWYgKCBzcGFjZSA9PSBY RU5NQVBTUEFDRV9nbWZuX2ZvcmVpZ24gPyByYyA6IHBhZ2UgIT0gTlVMTCAp CisgICAgc3dpdGNoICggc3BhY2UgKQogICAgIHsKKyAgICBkZWZhdWx0Ogor ICAgICAgICBpZiAoIHBhZ2UgKQorICAgICAgICAgICAgcHV0X3BhZ2UocGFn ZSk7CisgICAgICAgIGJyZWFrOworCisgICAgY2FzZSBYRU5NQVBTUEFDRV9n cmFudF90YWJsZToKKyAgICAgICAgZ250dGFiX21hcF9mcmFtZV9lbmQoZCwg bWZuKTsKKyAgICAgICAgYnJlYWs7CisKKyAgICBjYXNlIFhFTk1BUFNQQUNF X2dtZm5fZm9yZWlnbjoKKyAgICAgICAgaWYgKCAhcmMgKQorICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgIEFTU0VSVChwYWdlICE9IE5VTEwpOwogICAg ICAgICBwdXRfcGFnZShwYWdlKTsKKyAgICAgICAgYnJlYWs7CiAgICAgfQog CiAgICAgcmV0dXJuIHJjOwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMK KysrIGIveGVuL2FyY2gveDg2L21tL3AybS5jCkBAIC0yMDA5LDExICsyMDA5 LDkgQEAgaW50IHhlbm1lbV9hZGRfdG9fcGh5c21hcF9vbmUoCiAgICAgICAg IGJyZWFrOwogCiAgICAgY2FzZSBYRU5NQVBTUEFDRV9ncmFudF90YWJsZToK LSAgICAgICAgcmMgPSBnbnR0YWJfbWFwX2ZyYW1lKGQsIGlkeCwgZ2ZuLCAm bWZuKTsKKyAgICAgICAgcmMgPSBnbnR0YWJfbWFwX2ZyYW1lX2JlZ2luKGQs IGlkeCwgZ2ZuLCAmbWZuKTsKICAgICAgICAgaWYgKCByYyApCiAgICAgICAg ICAgICByZXR1cm4gcmM7Ci0gICAgICAgIC8qIE5lZWQgdG8gdGFrZSBjYXJl IG9mIHRoZSByZWZlcmVuY2Ugb2J0YWluZWQgaW4gZ250dGFiX21hcF9mcmFt ZSgpLiAqLwotICAgICAgICBwYWdlID0gbWZuX3RvX3BhZ2UobWZuKTsKICAg ICAgICAgYnJlYWs7CiAKICAgICBjYXNlIFhFTk1BUFNQQUNFX2dtZm46CkBA IC0yMDk1LDE5ICsyMDkzLDI4IEBAIGludCB4ZW5tZW1fYWRkX3RvX3BoeXNt YXBfb25lKAogICAgIHB1dF9nZm4oZCwgZ2ZuX3goZ2ZuKSk7CiAKICBwdXRf Ym90aDoKLSAgICAvKgotICAgICAqIEluIHRoZSBYRU5NQVBTUEFDRV9nbWZu IGNhc2UsIHdlIHRvb2sgYSByZWYgb2YgdGhlIGdmbiBhdCB0aGUgdG9wLgot ICAgICAqIFdlIGFsc28gbWF5IG5lZWQgdG8gdHJhbnNmZXIgb3duZXJzaGlw IG9mIHRoZSBwYWdlIHJlZmVyZW5jZSB0byBvdXIKLSAgICAgKiBjYWxsZXIu Ci0gICAgICovCi0gICAgaWYgKCBzcGFjZSA9PSBYRU5NQVBTUEFDRV9nbWZu ICkKKyAgICBzd2l0Y2ggKCBzcGFjZSApCiAgICAgeworICAgIGNhc2UgWEVO TUFQU1BBQ0VfZ21mbjoKKyAgICAgICAgLyoKKyAgICAgICAgICogV2UgdG9v ayBhIHJlZiBvZiB0aGUgZ2ZuIGF0IHRoZSB0b3AuICBXZSBhbHNvIG1heSBu ZWVkIHRvIHRyYW5zZmVyCisgICAgICAgICAqIG93bmVyc2hpcCBvZiB0aGUg cGFnZSByZWZlcmVuY2UgdG8gb3VyIGNhbGxlci4KKyAgICAgICAgICovCiAg ICAgICAgIHB1dF9nZm4oZCwgZ21mbik7CiAgICAgICAgIGlmICggIXJjICYm IGV4dHJhLnBwYWdlICkKICAgICAgICAgewogICAgICAgICAgICAgKmV4dHJh LnBwYWdlID0gcGFnZTsKICAgICAgICAgICAgIHBhZ2UgPSBOVUxMOwogICAg ICAgICB9CisgICAgICAgIGJyZWFrOworCisgICAgY2FzZSBYRU5NQVBTUEFD RV9ncmFudF90YWJsZToKKyAgICAgICAgLyoKKyAgICAgICAgICogV2UgKGdu dHRhYl9tYXBfZnJhbWVfYmVnaW4oKSkgYWNxdWlyZWQgYSBsb2NrIGFuZCB0 b29rIGEgcmVmIG9mIHRoZQorICAgICAgICAgKiBwYWdlIHVuZGVybHlpbmcg dGhlIE1GTiBhdCB0aGUgdG9wLgorICAgICAgICAgKi8KKyAgICAgICAgZ250 dGFiX21hcF9mcmFtZV9lbmQoZCwgbWZuKTsKKyAgICAgICAgYnJlYWs7CiAg ICAgfQogCiAgICAgaWYgKCBwYWdlICkKLS0tIGEveGVuL2NvbW1vbi9ncmFu dF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUuYwpAQCAt NDI1MCw3ICs0MjUwLDggQEAgaW50IGdudHRhYl9hY3F1aXJlX3Jlc291cmNl KAogICAgIHJldHVybiByYzsKIH0KIAotaW50IGdudHRhYl9tYXBfZnJhbWUo c3RydWN0IGRvbWFpbiAqZCwgdW5zaWduZWQgbG9uZyBpZHgsIGdmbl90IGdm biwgbWZuX3QgKm1mbikKK2ludCBnbnR0YWJfbWFwX2ZyYW1lX2JlZ2luKAor ICAgIHN0cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGxvbmcgaWR4LCBnZm5f dCBnZm4sIG1mbl90ICptZm4pCiB7CiAgICAgaW50IHJjID0gMDsKICAgICBz dHJ1Y3QgZ3JhbnRfdGFibGUgKmd0ID0gZC0+Z3JhbnRfdGFibGU7CkBAIC00 Mjg4LDExICs0Mjg5LDE5IEBAIGludCBnbnR0YWJfbWFwX2ZyYW1lKHN0cnVj dCBkb21haW4gKmQsIHUKICAgICAgICAgICAgIHB1dF9wYWdlKHBnKTsKICAg ICB9CiAKLSAgICBncmFudF93cml0ZV91bmxvY2soZ3QpOworICAgIGlmICgg cmMgKQorICAgICAgICBncmFudF93cml0ZV91bmxvY2soZC0+Z3JhbnRfdGFi bGUpOwogCiAgICAgcmV0dXJuIHJjOwogfQogCit2b2lkIGdudHRhYl9tYXBf ZnJhbWVfZW5kKHN0cnVjdCBkb21haW4gKmQsIG1mbl90IG1mbikKK3sKKyAg ICBwdXRfcGFnZShtZm5fdG9fcGFnZShtZm4pKTsKKworICAgIGdyYW50X3dy aXRlX3VubG9jayhkLT5ncmFudF90YWJsZSk7Cit9CisKIHN0YXRpYyB2b2lk IGdudHRhYl91c2FnZV9wcmludChzdHJ1Y3QgZG9tYWluICpyZCkKIHsKICAg ICBpbnQgZmlyc3QgPSAxOwotLS0gYS94ZW4vaW5jbHVkZS94ZW4vZ3JhbnRf dGFibGUuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vZ3JhbnRfdGFibGUuaApA QCAtNjAsOCArNjAsMTMgQEAgaW50IGdudHRhYl9yZWxlYXNlX21hcHBpbmdz KHN0cnVjdCBkb21haQogaW50IG1lbV9zaGFyaW5nX2dyZWZfdG9fZ2ZuKHN0 cnVjdCBncmFudF90YWJsZSAqZ3QsIGdyYW50X3JlZl90IHJlZiwKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBnZm5fdCAqZ2ZuLCB1aW50MTZfdCAq c3RhdHVzKTsKIAotaW50IGdudHRhYl9tYXBfZnJhbWUoc3RydWN0IGRvbWFp biAqZCwgdW5zaWduZWQgbG9uZyBpZHgsIGdmbl90IGdmbiwKLSAgICAgICAg ICAgICAgICAgICAgIG1mbl90ICptZm4pOworLyoKKyAqIFRoZXNlIG5lZWQg dG8gYmUgdXNlZCBhcyBhIHBhaXIsIGFzIHRoZSBmaXJzdCAoaW4gdGhlIHN1 Y2Nlc3MgY2FzZSkgcmV0dXJucworICogd2l0aCBhIGxvY2sgYW5kIHBhZ2Ug cmVmZXJlbmNlIGhlbGQgd2hpY2ggdGhlIHNlY29uZCBuZWVkcyB0byBkcm9w LgorICovCitpbnQgZ250dGFiX21hcF9mcmFtZV9iZWdpbihzdHJ1Y3QgZG9t YWluICpkLCB1bnNpZ25lZCBsb25nIGlkeCwgZ2ZuX3QgZ2ZuLAorICAgICAg ICAgICAgICAgICAgICAgICAgICAgbWZuX3QgKm1mbik7Cit2b2lkIGdudHRh Yl9tYXBfZnJhbWVfZW5kKHN0cnVjdCBkb21haW4gKmQsIG1mbl90IG1mbik7 CiAKIHVuc2lnbmVkIGludCBnbnR0YWJfcmVzb3VyY2VfbWF4X2ZyYW1lcyhj b25zdCBzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBpbnQgaWQpOwogCkBA IC0xMDAsMTIgKzEwNSwxNCBAQCBzdGF0aWMgaW5saW5lIGludCBtZW1fc2hh cmluZ19ncmVmX3RvX2dmCiAgICAgcmV0dXJuIC1FSU5WQUw7CiB9CiAKLXN0 YXRpYyBpbmxpbmUgaW50IGdudHRhYl9tYXBfZnJhbWUoc3RydWN0IGRvbWFp biAqZCwgdW5zaWduZWQgbG9uZyBpZHgsCi0gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIGdmbl90IGdmbiwgbWZuX3QgKm1mbikKK3N0YXRp YyBpbmxpbmUgaW50IGdudHRhYl9tYXBfZnJhbWVfYmVnaW4oc3RydWN0IGRv bWFpbiAqZCwgdW5zaWduZWQgbG9uZyBpZHgsCisgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIGdmbl90IGdmbiwgbWZuX3QgKm1m bikKIHsKICAgICByZXR1cm4gLUVJTlZBTDsKIH0KIAorc3RhdGljIGlubGlu ZSB2b2lkIGdudHRhYl9tYXBfZnJhbWVfZW5kKHN0cnVjdCBkb21haW4gKmQs IG1mbl90IG1mbikge30KKwogc3RhdGljIGlubGluZSB1bnNpZ25lZCBpbnQg Z250dGFiX3Jlc291cmNlX21heF9mcmFtZXMoCiAgICAgY29uc3Qgc3RydWN0 IGRvbWFpbiAqZCwgdW5zaWduZWQgaW50IGlkKQogewo= --=separator Content-Type: application/octet-stream; name="xsa486-4.18.patch" Content-Disposition: attachment; filename="xsa486-4.18.patch" Content-Transfer-Encoding: base64 RnJvbTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpTdWJqZWN0 OiBnbnR0YWI6IHNwbGl0IGdudHRhYl9tYXBfZnJhbWUoKQoKSWYgYSBkb21h aW4gdHJpZXMgdG8gbWFwIHN0YXR1cyBmcmFtZXMgaW4gcGFyYWxsZWwgdG8g c3dpdGNoaW5nIGdyYW50CnRhYmxlIHZlcnNpb24gZnJvbSAyIHRvIDEsIHRo ZSBtYXBwaW5nIG9wZXJhdGlvbiBtYXkgcHV0IGluIHBsYWNlIFAyTQplbnRy aWVzIHJlZmVyZW5jaW5nIE1GTnMgd2hpY2ggZ250dGFiX3VucG9wdWxhdGVf c3RhdHVzX2ZyYW1lcygpIGlzIGluIHRoZQpwcm9jZXNzIG9mIGZyZWVpbmcu CgpJZGVhbGx5IHdlIHdvdWxkIHJlZmNvdW50IHBhZ2VzIHdoZW4gZW50ZXJl ZCBpbnRvIFAyTSB0YWJsZXMsIGJ1dCB0aGF0J3MgYQpzaWduaWZpY2FudCBj aGFuZ2UuIEV4dGVuZCB0aGUgZ3JhbnQtdGFibGUtbG9ja2VkIHJlZ2lvbiBp bnN0ZWFkIGluCnhlbm1lbV9hZGRfdG9fcGh5c21hcF9vbmUoKSAoYmVpbmcg dGhlIHNvbGUgY2FsbGVyIG9mIGdudHRhYl9tYXBfZnJhbWUoKSksCnN1Y2gg dGhhdCBhIHJhY2Ugd2l0aCBnbnR0YWJfdW5wb3B1bGF0ZV9zdGF0dXNfZnJh bWVzKCkgaXMgbm8gbG9uZ2VyCnBvc3NpYmxlLgoKVGhpcyBpcyBYU0EtNDg2 IC8gQ1ZFLTIwMjYtMjM1NTguCgpGaXhlczogNWNlOGZhZmE5NDdjICgiRHlu YW1pYyBncmFudC10YWJsZSBzaXppbmciKQpGaXhlczogYTk4ZGMxMzcwM2Uw ICgiSW50cm9kdWNlIGEgZ3JhbnRfZW50cnlfdjIgc3RydWN0dXJlIikKUmVw b3J0ZWQtYnk6IFJhZmFsIFdvanRjenVrIDxyYWZhbC53b2p0Y3p1a0A3YnVs bHMuY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hA c3VzZS5jb20+ClJldmlld2VkLWJ5OiBSb2dlciBQYXUgTW9ubsOpIDxyb2dl ci5wYXVAY2l0cml4LmNvbT4KCi0tLSBhL3hlbi9hcmNoL2FybS9tbS5jCisr KyBiL3hlbi9hcmNoL2FybS9tbS5jCkBAIC0xMzcyLDEyICsxMzcyLDEwIEBA IGludCB4ZW5tZW1fYWRkX3RvX3BoeXNtYXBfb25lKAogICAgIHN3aXRjaCAo IHNwYWNlICkKICAgICB7CiAgICAgY2FzZSBYRU5NQVBTUEFDRV9ncmFudF90 YWJsZToKLSAgICAgICAgcmMgPSBnbnR0YWJfbWFwX2ZyYW1lKGQsIGlkeCwg Z2ZuLCAmbWZuKTsKKyAgICAgICAgcmMgPSBnbnR0YWJfbWFwX2ZyYW1lX2Jl Z2luKGQsIGlkeCwgZ2ZuLCAmbWZuKTsKICAgICAgICAgaWYgKCByYyApCiAg ICAgICAgICAgICByZXR1cm4gcmM7CiAKLSAgICAgICAgLyogTmVlZCB0byB0 YWtlIGNhcmUgb2YgdGhlIHJlZmVyZW5jZSBvYnRhaW5lZCBpbiBnbnR0YWJf bWFwX2ZyYW1lKCkuICovCi0gICAgICAgIHBhZ2UgPSBtZm5fdG9fcGFnZSht Zm4pOwogICAgICAgICB0ID0gcDJtX3JhbV9ydzsKIAogICAgICAgICBicmVh azsKQEAgLTE0NzksMTAgKzE0NzcsMjMgQEAgaW50IHhlbm1lbV9hZGRfdG9f cGh5c21hcF9vbmUoCiAgICAgICogdG8gZHJvcCB0aGUgcmVmZXJlbmNlIHdl IHRvb2sgZWFybGllci4gSW4gYWxsIG90aGVyIGNhc2VzIHdlIG5lZWQgdG8K ICAgICAgKiBkcm9wIGFueSByZWZlcmVuY2Ugd2UgdG9vayBlYXJsaWVyIChw ZXJoYXBzIGluZGlyZWN0bHkpLgogICAgICAqLwotICAgIGlmICggc3BhY2Ug PT0gWEVOTUFQU1BBQ0VfZ21mbl9mb3JlaWduID8gcmMgOiBwYWdlICE9IE5V TEwgKQorICAgIHN3aXRjaCAoIHNwYWNlICkKICAgICB7CisgICAgZGVmYXVs dDoKKyAgICAgICAgaWYgKCBwYWdlICkKKyAgICAgICAgICAgIHB1dF9wYWdl KHBhZ2UpOworICAgICAgICBicmVhazsKKworICAgIGNhc2UgWEVOTUFQU1BB Q0VfZ3JhbnRfdGFibGU6CisgICAgICAgIGdudHRhYl9tYXBfZnJhbWVfZW5k KGQsIG1mbik7CisgICAgICAgIGJyZWFrOworCisgICAgY2FzZSBYRU5NQVBT UEFDRV9nbWZuX2ZvcmVpZ246CisgICAgICAgIGlmICggIXJjICkKKyAgICAg ICAgICAgIGJyZWFrOwogICAgICAgICBBU1NFUlQocGFnZSAhPSBOVUxMKTsK ICAgICAgICAgcHV0X3BhZ2UocGFnZSk7CisgICAgICAgIGJyZWFrOwogICAg IH0KIAogICAgIHJldHVybiByYzsKLS0tIGEveGVuL2FyY2gveDg2L21tL3Ay bS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9tbS9wMm0uYwpAQCAtMjQ0NiwxMSAr MjQ0Niw5IEBAIGludCB4ZW5tZW1fYWRkX3RvX3BoeXNtYXBfb25lKAogICAg ICAgICBicmVhazsKIAogICAgIGNhc2UgWEVOTUFQU1BBQ0VfZ3JhbnRfdGFi bGU6Ci0gICAgICAgIHJjID0gZ250dGFiX21hcF9mcmFtZShkLCBpZHgsIGdw Zm4sICZtZm4pOworICAgICAgICByYyA9IGdudHRhYl9tYXBfZnJhbWVfYmVn aW4oZCwgaWR4LCBncGZuLCAmbWZuKTsKICAgICAgICAgaWYgKCByYyApCiAg ICAgICAgICAgICByZXR1cm4gcmM7Ci0gICAgICAgIC8qIE5lZWQgdG8gdGFr ZSBjYXJlIG9mIHRoZSByZWZlcmVuY2Ugb2J0YWluZWQgaW4gZ250dGFiX21h cF9mcmFtZSgpLiAqLwotICAgICAgICBwYWdlID0gbWZuX3RvX3BhZ2UobWZu KTsKICAgICAgICAgYnJlYWs7CiAKICAgICBjYXNlIFhFTk1BUFNQQUNFX2dt Zm46CkBAIC0yNTI2LDE5ICsyNTI0LDI4IEBAIGludCB4ZW5tZW1fYWRkX3Rv X3BoeXNtYXBfb25lKAogICAgIHB1dF9nZm4oZCwgZ2ZuX3goZ3BmbikpOwog CiAgcHV0X2JvdGg6Ci0gICAgLyoKLSAgICAgKiBJbiB0aGUgWEVOTUFQU1BB Q0VfZ21mbiBjYXNlLCB3ZSB0b29rIGEgcmVmIG9mIHRoZSBnZm4gYXQgdGhl IHRvcC4KLSAgICAgKiBXZSBhbHNvIG1heSBuZWVkIHRvIHRyYW5zZmVyIG93 bmVyc2hpcCBvZiB0aGUgcGFnZSByZWZlcmVuY2UgdG8gb3VyCi0gICAgICog Y2FsbGVyLgotICAgICAqLwotICAgIGlmICggc3BhY2UgPT0gWEVOTUFQU1BB Q0VfZ21mbiApCisgICAgc3dpdGNoICggc3BhY2UgKQogICAgIHsKKyAgICBj YXNlIFhFTk1BUFNQQUNFX2dtZm46CisgICAgICAgIC8qCisgICAgICAgICAq IFdlIHRvb2sgYSByZWYgb2YgdGhlIGdmbiBhdCB0aGUgdG9wLiAgV2UgYWxz byBtYXkgbmVlZCB0byB0cmFuc2ZlcgorICAgICAgICAgKiBvd25lcnNoaXAg b2YgdGhlIHBhZ2UgcmVmZXJlbmNlIHRvIG91ciBjYWxsZXIuCisgICAgICAg ICAqLwogICAgICAgICBwdXRfZ2ZuKGQsIGdmbik7CiAgICAgICAgIGlmICgg IXJjICYmIGV4dHJhLnBwYWdlICkKICAgICAgICAgewogICAgICAgICAgICAg KmV4dHJhLnBwYWdlID0gcGFnZTsKICAgICAgICAgICAgIHBhZ2UgPSBOVUxM OwogICAgICAgICB9CisgICAgICAgIGJyZWFrOworCisgICAgY2FzZSBYRU5N QVBTUEFDRV9ncmFudF90YWJsZToKKyAgICAgICAgLyoKKyAgICAgICAgICog V2UgKGdudHRhYl9tYXBfZnJhbWVfYmVnaW4oKSkgYWNxdWlyZWQgYSBsb2Nr IGFuZCB0b29rIGEgcmVmIG9mIHRoZQorICAgICAgICAgKiBwYWdlIHVuZGVy bHlpbmcgdGhlIE1GTiBhdCB0aGUgdG9wLgorICAgICAgICAgKi8KKyAgICAg ICAgZ250dGFiX21hcF9mcmFtZV9lbmQoZCwgbWZuKTsKKyAgICAgICAgYnJl YWs7CiAgICAgfQogCiAgICAgaWYgKCBwYWdlICkKLS0tIGEveGVuL2NvbW1v bi9ncmFudF90YWJsZS5jCisrKyBiL3hlbi9jb21tb24vZ3JhbnRfdGFibGUu YwpAQCAtNDIzNyw3ICs0MjM3LDggQEAgaW50IGdudHRhYl9hY3F1aXJlX3Jl c291cmNlKAogICAgIHJldHVybiByYzsKIH0KIAotaW50IGdudHRhYl9tYXBf ZnJhbWUoc3RydWN0IGRvbWFpbiAqZCwgdW5zaWduZWQgbG9uZyBpZHgsIGdm bl90IGdmbiwgbWZuX3QgKm1mbikKK2ludCBnbnR0YWJfbWFwX2ZyYW1lX2Jl Z2luKAorICAgIHN0cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGxvbmcgaWR4 LCBnZm5fdCBnZm4sIG1mbl90ICptZm4pCiB7CiAgICAgaW50IHJjID0gMDsK ICAgICBzdHJ1Y3QgZ3JhbnRfdGFibGUgKmd0ID0gZC0+Z3JhbnRfdGFibGU7 CkBAIC00Mjc1LDExICs0Mjc2LDE5IEBAIGludCBnbnR0YWJfbWFwX2ZyYW1l KHN0cnVjdCBkb21haW4gKmQsIHUKICAgICAgICAgICAgIHB1dF9wYWdlKHBn KTsKICAgICB9CiAKLSAgICBncmFudF93cml0ZV91bmxvY2soZ3QpOworICAg IGlmICggcmMgKQorICAgICAgICBncmFudF93cml0ZV91bmxvY2soZC0+Z3Jh bnRfdGFibGUpOwogCiAgICAgcmV0dXJuIHJjOwogfQogCit2b2lkIGdudHRh Yl9tYXBfZnJhbWVfZW5kKHN0cnVjdCBkb21haW4gKmQsIG1mbl90IG1mbikK K3sKKyAgICBwdXRfcGFnZShtZm5fdG9fcGFnZShtZm4pKTsKKworICAgIGdy YW50X3dyaXRlX3VubG9jayhkLT5ncmFudF90YWJsZSk7Cit9CisKIHN0YXRp YyB2b2lkIGdudHRhYl91c2FnZV9wcmludChzdHJ1Y3QgZG9tYWluICpyZCkK IHsKICAgICBpbnQgZmlyc3QgPSAxOwotLS0gYS94ZW4vaW5jbHVkZS94ZW4v Z3JhbnRfdGFibGUuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vZ3JhbnRfdGFi bGUuaApAQCAtNTMsOCArNTMsMTMgQEAgaW50IGdudHRhYl9yZWxlYXNlX21h cHBpbmdzKHN0cnVjdCBkb21haQogaW50IG1lbV9zaGFyaW5nX2dyZWZfdG9f Z2ZuKHN0cnVjdCBncmFudF90YWJsZSAqZ3QsIGdyYW50X3JlZl90IHJlZiwK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZm5fdCAqZ2ZuLCB1aW50 MTZfdCAqc3RhdHVzKTsKIAotaW50IGdudHRhYl9tYXBfZnJhbWUoc3RydWN0 IGRvbWFpbiAqZCwgdW5zaWduZWQgbG9uZyBpZHgsIGdmbl90IGdmbiwKLSAg ICAgICAgICAgICAgICAgICAgIG1mbl90ICptZm4pOworLyoKKyAqIFRoZXNl IG5lZWQgdG8gYmUgdXNlZCBhcyBhIHBhaXIsIGFzIHRoZSBmaXJzdCAoaW4g dGhlIHN1Y2Nlc3MgY2FzZSkgcmV0dXJucworICogd2l0aCBhIGxvY2sgYW5k IHBhZ2UgcmVmZXJlbmNlIGhlbGQgd2hpY2ggdGhlIHNlY29uZCBuZWVkcyB0 byBkcm9wLgorICovCitpbnQgZ250dGFiX21hcF9mcmFtZV9iZWdpbihzdHJ1 Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBsb25nIGlkeCwgZ2ZuX3QgZ2ZuLAor ICAgICAgICAgICAgICAgICAgICAgICAgICAgbWZuX3QgKm1mbik7Cit2b2lk IGdudHRhYl9tYXBfZnJhbWVfZW5kKHN0cnVjdCBkb21haW4gKmQsIG1mbl90 IG1mbik7CiAKIHVuc2lnbmVkIGludCBnbnR0YWJfcmVzb3VyY2VfbWF4X2Zy YW1lcyhjb25zdCBzdHJ1Y3QgZG9tYWluICpkLCB1bnNpZ25lZCBpbnQgaWQp OwogCkBAIC05MywxMiArOTgsMTQgQEAgc3RhdGljIGlubGluZSBpbnQgbWVt X3NoYXJpbmdfZ3JlZl90b19nZgogICAgIHJldHVybiAtRUlOVkFMOwogfQog Ci1zdGF0aWMgaW5saW5lIGludCBnbnR0YWJfbWFwX2ZyYW1lKHN0cnVjdCBk b21haW4gKmQsIHVuc2lnbmVkIGxvbmcgaWR4LAotICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBnZm5fdCBnZm4sIG1mbl90ICptZm4pCitz dGF0aWMgaW5saW5lIGludCBnbnR0YWJfbWFwX2ZyYW1lX2JlZ2luKHN0cnVj dCBkb21haW4gKmQsIHVuc2lnbmVkIGxvbmcgaWR4LAorICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnZm5fdCBnZm4sIG1mbl90 ICptZm4pCiB7CiAgICAgcmV0dXJuIC1FSU5WQUw7CiB9CiAKK3N0YXRpYyBp bmxpbmUgdm9pZCBnbnR0YWJfbWFwX2ZyYW1lX2VuZChzdHJ1Y3QgZG9tYWlu ICpkLCBtZm5fdCBtZm4pIHt9CisKIHN0YXRpYyBpbmxpbmUgdW5zaWduZWQg aW50IGdudHRhYl9yZXNvdXJjZV9tYXhfZnJhbWVzKAogICAgIGNvbnN0IHN0 cnVjdCBkb21haW4gKmQsIHVuc2lnbmVkIGludCBpZCkKIHsK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Apr 28 12:02:02 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Apr 2026 12:02:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1295649.1572362 (Exim 4.92) (envelope-from ) id 1wHh8R-00064a-PU; Tue, 28 Apr 2026 12:01:51 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1295649.1572362; Tue, 28 Apr 2026 12:01:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8R-00063d-EC; Tue, 28 Apr 2026 12:01:51 +0000 Received: by outflank-mailman (input) for mailman id 1295649; Tue, 28 Apr 2026 12:01:50 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8P-0005Su-TQ; Tue, 28 Apr 2026 12:01:50 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wHh8P-004jZf-8v; Tue, 28 Apr 2026 14:01:49 +0200 Received: from [10.42.69.8] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f0a1ab-e002-0a2a0a5209dd-0a2a45088726-10 for ; Tue, 28 Apr 2026 14:01:49 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-c1860d.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f0a1ab-63b5-0a2a45080019-6882d7258cca-3 for ; Tue, 28 Apr 2026 14:01:49 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wHh8H-0064a6-2y; Tue, 28 Apr 2026 12:01:41 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wHh8H-006n23-2q; Tue, 28 Apr 2026 12:01:41 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file Message-Id: Date: Tue, 28 Apr 2026 12:01:41 +0000 X-purgate-ID: tlsNG-c1860d/1777377709-38D63DB1-A0E3543C/0/0 X-purgate-type: clean X-purgate-size: 6361 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-31786 / XSA-485 version 2 Linux kernel out of bounds read via Xen-related sysfs file UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The Linux sysfs file /sys/hypervisor/properties/buildid does not contain printable information, but a binary value of typically 16 or 20 bytes, which is not terminated by a zero byte. The kernel driver making this information available is using the sprintf() function for writing the data into the user readable buffer, resulting in a potential out of bounds read past the buildid retrieved from the Xen hypervisor. In rare cases even writing past the sysfs buffer of 4kB might happen, if no zero byte is found in the 4kB of data following the start of the buildid. This might result in users being capable to read kernel secrets or even overwrite kernel memory located after the sysfs buffer. IMPACT ====== Inside any Linux Xen domain information leaks, Denial of Service (DoS) and privilege escalation might be possible. VULNERABLE SYSTEMS ================== All Linux domains with a kernel version 4.13 or later are vulnerable. Domains up to kernel version 4.12 are not vulnerable. MITIGATION ========== There is no known mitigation available. CREDITS ======= This issue was discovered by Frediano Ziglio of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa485-linux.patch Linux $ sha256sum xsa485* c70b792093d7b314b8c476e39df88a62a2d98fb0efc6328590d0ad3266c77831 xsa485-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patch needs to be applied to the guests. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQIMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZu7cH/0KeJ7rnA7tE5l1TYcD2Enh0jYjMtBw0DIH/bYwd EGNklioe02/aVGs9TooQDeZZRMOg6tyA3c7skl2jGN51RlHrPMc27tNDGdFR9/F/ 0Mp614K4lfoKfEYQTdWxWYPPerIhfkDSkUOmKlOwS/NyJ5HnuQ+LT8j7e+1YKs04 BOjqNorArGoxsRIleRAXIUzZPOreCPrUBRIQwVsULnsGMIkcFSnt4CyV/sPFzILh 2KHCFPZHpQ70SxbgZgVmEb1emwDysps9LoVzrRQcuHsD1AsqtgSvsHau0Wi1juY4 CjygNQUML3r6ZH46DNsovpdHHW08HfhgYuASZ85erwsxM0Q= =wJb9 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa485-linux.patch" Content-Disposition: attachment; filename="xsa485-linux.patch" Content-Transfer-Encoding: base64 RnJvbSAwYWU1ZWEwMGNjNTExMTEwNzMzNjY1YjI5MzVhMTU0ZDVlNTY5NDgw IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBGcmVkaWFubyBaaWds aW8gPGZyZWRpYW5vLnppZ2xpb0BjaXRyaXguY29tPgpEYXRlOiBGcmksIDI3 IE1hciAyMDI2IDE0OjEzOjM4ICswMTAwClN1YmplY3Q6IFtQQVRDSF0gQnVm ZmVyIG92ZXJmbG93IGluIGRyaXZlcnMveGVuL3N5cy1oeXBlcnZpc29yLmMK ClRoZSBidWlsZCBpZCByZXR1cm5lZCBieSBIWVBFUlZJU09SX3hlbl92ZXJz aW9uKFhFTlZFUl9idWlsZF9pZCkgaXMKbmVpdGhlciBOVUwgdGVybWluYXRl ZCBub3IgYSBzdHJpbmcuCgpUaGUgZmlyc3QgY2F1c2VzIGEgYnVmZmVyIG92 ZXJmbG93IGFzIHNwcmludGYgaW4gYnVpbGRpZF9zaG93IHdpbGwKcmVhZCBh bmQgY29weSB0aWxsIGl0IGZpbmRzIGEgTlVMLgoKMDAwMDAwMDAgIGY0IDkx IDUxIGY0IGRkIDM4IDllIDlkICA2NSA0NyA1MiBlYiAxMCA3MSBkYiA1MCAg fC4uUS4uOC4uZUdSLi5xLlB8CjAwMDAwMDEwICBiOSBhOCAwMSA0MiA2ZiAy ZSAzMiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwuLi5Cby4yfAow MDAwMDAxNwoKU28gdXNlIGEgbWVtY3B5IGluc3RlYWQgb2Ygc3ByaW50ZiB0 byBoYXZlIHRoZSBjb3JyZWN0IHZhbHVlOgoKMDAwMDAwMDAgIGY0IDkxIDUx IGY0IGRkIDAwIDllIDlkICA2NSA0NyA1MiBlYiAxMCA3MSBkYiA1MCAgfC4u US4uLi4uZUdSLi5xLlB8CjAwMDAwMDEwICBiOSBhOCAwMSA0MiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwuLi5CfAowMDAwMDAx NAoKKHRoZSBhYm92ZSBoYXZlIGEgaGFjayB0byBlbWJlZCBhIHplcm8gaW5z aWRlIGFuZCBjaGVjayBpdCdzCnJldHVybmVkIGNvcnJlY3RseSkuCgpUaGlz IGlzIFhTQS00ODUgLyBDVkUtMjAyNi0zMTc4NgoKRml4ZXM6IDg0Yjc2MjU3 MjhlYSAoInhlbjogYWRkIHN5c2ZzIG5vZGUgZm9yIGh5cGVydmlzb3IgYnVp bGQgaWQiKQpTaWduZWQtb2ZmLWJ5OiBGcmVkaWFubyBaaWdsaW8gPGZyZWRp YW5vLnppZ2xpb0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSnVlcmdlbiBH cm9zcyA8amdyb3NzQHN1c2UuY29tPgpTaWduZWQtb2ZmLWJ5OiBKdWVyZ2Vu IEdyb3NzIDxqZ3Jvc3NAc3VzZS5jb20+Ci0tLQogZHJpdmVycy94ZW4vc3lz LWh5cGVydmlzb3IuYyB8IDggKysrKysrLS0KIDEgZmlsZSBjaGFuZ2VkLCA2 IGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv ZHJpdmVycy94ZW4vc3lzLWh5cGVydmlzb3IuYyBiL2RyaXZlcnMveGVuL3N5 cy1oeXBlcnZpc29yLmMKaW5kZXggYjFiYjAxYmE4MmY4Li45MTkyMzI0MmE1 YWUgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMveGVuL3N5cy1oeXBlcnZpc29yLmMK KysrIGIvZHJpdmVycy94ZW4vc3lzLWh5cGVydmlzb3IuYwpAQCAtMzY2LDYg KzM2Niw4IEBAIHN0YXRpYyBzc2l6ZV90IGJ1aWxkaWRfc2hvdyhzdHJ1Y3Qg aHlwX3N5c2ZzX2F0dHIgKmF0dHIsIGNoYXIgKmJ1ZmZlcikKIAkJCXJldCA9 IHNwcmludGYoYnVmZmVyLCAiPGRlbmllZD4iKTsKIAkJcmV0dXJuIHJldDsK IAl9CisJaWYgKHJldCA+IFBBR0VfU0laRSkKKwkJcmV0dXJuIC1FTk9TUEM7 CiAKIAlidWlsZGlkID0ga21hbGxvYyhzaXplb2YoKmJ1aWxkaWQpICsgcmV0 LCBHRlBfS0VSTkVMKTsKIAlpZiAoIWJ1aWxkaWQpCkBAIC0zNzMsOCArMzc1 LDEwIEBAIHN0YXRpYyBzc2l6ZV90IGJ1aWxkaWRfc2hvdyhzdHJ1Y3QgaHlw X3N5c2ZzX2F0dHIgKmF0dHIsIGNoYXIgKmJ1ZmZlcikKIAogCWJ1aWxkaWQt PmxlbiA9IHJldDsKIAlyZXQgPSBIWVBFUlZJU09SX3hlbl92ZXJzaW9uKFhF TlZFUl9idWlsZF9pZCwgYnVpbGRpZCk7Ci0JaWYgKHJldCA+IDApCi0JCXJl dCA9IHNwcmludGYoYnVmZmVyLCAiJXMiLCBidWlsZGlkLT5idWYpOworCWlm IChyZXQgPiAwKSB7CisJCS8qIEJ1aWxkIGlkIGlzIGJpbmFyeSwgbm90IGEg c3RyaW5nLiAqLworCQltZW1jcHkoYnVmZmVyLCBidWlsZGlkLT5idWYsIHJl dCk7CisJfQogCWtmcmVlKGJ1aWxkaWQpOwogCiAJcmV0dXJuIHJldDsKLS0g CjIuNTMuMAoK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Apr 28 12:02:02 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Apr 2026 12:02:02 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1295642.1572288 (Exim 4.92) (envelope-from ) id 1wHh8K-0004RV-EB; Tue, 28 Apr 2026 12:01:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1295642.1572288; Tue, 28 Apr 2026 12:01:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8K-0004R0-9w; Tue, 28 Apr 2026 12:01:44 +0000 Received: by outflank-mailman (input) for mailman id 1295642; Tue, 28 Apr 2026 12:01:43 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8J-0004QY-5G; Tue, 28 Apr 2026 12:01:43 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wHh8I-004jWr-H2; Tue, 28 Apr 2026 14:01:42 +0200 Received: from [10.42.69.1] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f0a1a5-e002-0a2a0a5209dd-0a2a4501852e-6 for ; Tue, 28 Apr 2026 14:01:42 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-d62444.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f0a1a5-c1f2-0a2a45010019-6882d725b590-3 for ; Tue, 28 Apr 2026 14:01:42 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wHh88-0064Zb-09; Tue, 28 Apr 2026 12:01:32 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wHh87-006n03-3A; Tue, 28 Apr 2026 12:01:31 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruction Message-Id: Date: Tue, 28 Apr 2026 12:01:31 +0000 X-purgate-ID: tlsNG-d62444/1777377702-BDA69FF4-96C8E755/0/0 X-purgate-type: clean X-purgate-size: 8700 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23556 / XSA-483 version 2 oxenstored keeps quota related use counts across domain destruction UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked. When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota. IMPACT ====== Over an extended period of time, new domains will be able to create fewer and fewer nodes in xenstored, until they are eventually unable to operate at all. A buggy or malicious domain can speed this process up by deliberately hitting it's quota, and then rebooting. VULNERABLE SYSTEMS ================== All versions of Xen containing the XSA-419 fixes are vulnerable. Only systems configured to use oxenstored (Ocaml xenstored) are vulnerable. Systems configured to xenstored (C xenstored) are not vulnerable. MITIGATION ========== Performing a xenstore live update mitigates the issue. CREDITS ======= This issue was discovered by Andrii Sultanov of Vates. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa483.patch xen-unstable - Xen 4.18.x xsa483-4.17.patch Xen 4.17.x xsa483-xapi.patch XAPI oxenstored $ sha256sum xsa483* 4be3acc57dcd5e2719cab165729879757a1915c33b848a37623dd4a5f1157746 xsa483.patch 389b0411d855894adff6f640dcbd3358adc6d4cb9ddeedbcb9cb2c345af67d51 xsa483-4.17.patch ec191a1e158eddd22bfbd764f26f6b6a0b75b9fe0a223dc66da1c4a16ef73122 xsa483-xapi.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoPIMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZM8EH/iXC6hLQHAVLeRCfUEZ1ncM7029KPyRxLIOlthCS cAyMNjyVSckGMRgKvYWCpl/fN1v/2yv3olIIR9wtncaq8Q+iMkwOsw1P46fmsh3J 40pK6PnaP1/kRrua1ZANlUc8YUhWG8fE2ADPHCIo57qbO1fXVUEWARdgU5gYIkF4 Kz+dvkpEEiTdRe24zqfn9Bv4lDsihfq3B9zecEuqMj3L88FrMP9VfBJZMbx9N/Pb TUE/FltETdWqMLeIyb7r3P5OPrLRYk6ebgrX96Pb3f0d1/OC8E4Me3RNvGoArmOI f8R0M/zly0lmoJspJFtI2C7BdUIKB/59z/Sz2YC706AJBO0= =mbDG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa483.patch" Content-Disposition: attachment; filename="xsa483.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmlpIFN1bHRhbm92IDxhbmRyaXkuc3VsdGFub3ZAdmF0ZXMu dGVjaD4KU3ViamVjdDogdG9vbHMvb3hlbnN0b3JlZDogUmVzZXQgcXVvdGEg d2hlbiByZXNldHRpbmcgcGVybWlzc2lvbnMKClRoZSBxdW90YSBvYmplY3Qg Y29udGFpbnMgYm90aCBsaW1pdHMgYW5kIHRoZSBjdXJyZW50IG5vZGUgdXNh Z2UgY291bnRzLgoKV2hlbiBhIGRvbWFpbiBpcyB0b3JuIGRvd24sIHRoZSBu b2RlIGRhdGEgaXRzZWxmIGlzIGNsZWFuZWQgdXAgYnV0IHRoZSBub2RlCnVz YWdlIGNvdW50cyBhcmUgbm90LiAgQSBsYXRlciBkb21haW4gcmV1c2luZyB0 aGUgc2FtZSBkb21pZCBjYW4gY3JlYXRlIGZld2VyCm5vZGVzIGJlZm9yZSBi ZWluZyBkZWVtZWQgdG8gYmUgb3ZlciBxdW90YS4KClJlc2V0IHRoZSBjb3Vu dCB3aGVuIHRoZSBub2RlIHBlcm1pc3Npb25zIGFyZSBjbGVhbmVkIHVwLgoK VGhpcyBpcyBYU0EtNDgzIC8gQ1ZFLTIwMjYtMjM1NTYuCgpTaWduZWQtb2Zm LWJ5OiBBbmRyaWkgU3VsdGFub3YgPGFuZHJpeS5zdWx0YW5vdkB2YXRlcy50 ZWNoPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3Rvb2xzL29jYW1sL3hl bnN0b3JlZC9zdG9yZS5tbCBiL3Rvb2xzL29jYW1sL3hlbnN0b3JlZC9zdG9y ZS5tbAppbmRleCA5YjhkZDI4MTJkZjAuLmFhOTIwNGVhZDNlYyAxMDA2NDQK LS0tIGEvdG9vbHMvb2NhbWwveGVuc3RvcmVkL3N0b3JlLm1sCisrKyBiL3Rv b2xzL29jYW1sL3hlbnN0b3JlZC9zdG9yZS5tbApAQCAtNDY1LDcgKzQ2NSw4 IEBAIGxldCByZXNldF9wZXJtaXNzaW9ucyBzdG9yZSBkb21pZCA9CiAgICAg ICAgIGlmIHBlcm1zIDw+IG5vZGUucGVybXMgdGhlbgogICAgICAgICAgIExv Z2dpbmcuZGVidWcgInN0b3JlfG5vZGUiICJDaGFuZ2VkIHBlcm1pc3Npb25z IGZvciBub2RlICVzIiAoTm9kZS5nZXRfbmFtZSBub2RlKTsKICAgICAgICAg U29tZSB7IG5vZGUgd2l0aCBOb2RlLnBlcm1zIH0KLSAgICApIHN0b3JlLnJv b3QKKyAgICApIHN0b3JlLnJvb3Q7CisgIHN0b3JlLnF1b3RhIDwtIFF1b3Rh LmRlbCBzdG9yZS5xdW90YSBkb21pZAogCiB0eXBlIG9wcyA9IHsKICAgc3Rv cmU6IHQ7Cg== --=separator Content-Type: application/octet-stream; name="xsa483-4.17.patch" Content-Disposition: attachment; filename="xsa483-4.17.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmlpIFN1bHRhbm92IDxhbmRyaXkuc3VsdGFub3ZAdmF0ZXMu dGVjaD4KU3ViamVjdDogdG9vbHMvb3hlbnN0b3JlZDogUmVzZXQgcXVvdGEg d2hlbiByZXNldHRpbmcgcGVybWlzc2lvbnMKClRoZSBxdW90YSBvYmplY3Qg Y29udGFpbnMgYm90aCBsaW1pdHMgYW5kIHRoZSBjdXJyZW50IG5vZGUgdXNh Z2UgY291bnRzLgoKV2hlbiBhIGRvbWFpbiBpcyB0b3JuIGRvd24sIHRoZSBu b2RlIGRhdGEgaXRzZWxmIGlzIGNsZWFuZWQgdXAgYnV0IHRoZSBub2RlCnVz YWdlIGNvdW50cyBhcmUgbm90LiAgQSBsYXRlciBkb21haW4gcmV1c2luZyB0 aGUgc2FtZSBkb21pZCBjYW4gY3JlYXRlIGZld2VyCm5vZGVzIGJlZm9yZSBi ZWluZyBkZWVtZWQgdG8gYmUgb3ZlciBxdW90YS4KClJlc2V0IHRoZSBjb3Vu dCB3aGVuIHRoZSBub2RlIHBlcm1pc3Npb25zIGFyZSBjbGVhbmVkIHVwLgoK VGhpcyBpcyBYU0EtNDgzIC8gQ1ZFLTIwMjYtMjM1NTYuCgpTaWduZWQtb2Zm LWJ5OiBBbmRyaWkgU3VsdGFub3YgPGFuZHJpeS5zdWx0YW5vdkB2YXRlcy50 ZWNoPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL3Rvb2xzL29jYW1sL3hl bnN0b3JlZC9zdG9yZS5tbCBiL3Rvb2xzL29jYW1sL3hlbnN0b3JlZC9zdG9y ZS5tbAppbmRleCA1ZGQ5NjVkYjE1MWYuLmMwOTlhMmVhZTY4YSAxMDA2NDQK LS0tIGEvdG9vbHMvb2NhbWwveGVuc3RvcmVkL3N0b3JlLm1sCisrKyBiL3Rv b2xzL29jYW1sL3hlbnN0b3JlZC9zdG9yZS5tbApAQCAtNDY1LDcgKzQ2NSw4 IEBAIGxldCByZXNldF9wZXJtaXNzaW9ucyBzdG9yZSBkb21pZCA9CiAJCQlp ZiBwZXJtcyA8PiBub2RlLnBlcm1zIHRoZW4KIAkJCQlMb2dnaW5nLmRlYnVn ICJzdG9yZXxub2RlIiAiQ2hhbmdlZCBwZXJtaXNzaW9ucyBmb3Igbm9kZSAl cyIgKE5vZGUuZ2V0X25hbWUgbm9kZSk7CiAJCQlTb21lIHsgbm9kZSB3aXRo IE5vZGUucGVybXMgfQotCSkgc3RvcmUucm9vdAorCSkgc3RvcmUucm9vdDsK KwlzdG9yZS5xdW90YSA8LSBRdW90YS5kZWwgc3RvcmUucXVvdGEgZG9taWQK IAogdHlwZSBvcHMgPSB7CiAJc3RvcmU6IHQ7Cg== --=separator Content-Type: application/octet-stream; name="xsa483-xapi.patch" Content-Disposition: attachment; filename="xsa483-xapi.patch" Content-Transfer-Encoding: base64 RnJvbTogQW5kcmlpIFN1bHRhbm92IDxhbmRyaXkuc3VsdGFub3ZAdmF0ZXMu dGVjaD4KU3ViamVjdDogdG9vbHMvb3hlbnN0b3JlZDogUmVzZXQgcXVvdGEg d2hlbiByZXNldHRpbmcgcGVybWlzc2lvbnMKClRoZSBxdW90YSBvYmplY3Qg Y29udGFpbnMgYm90aCBsaW1pdHMgYW5kIHRoZSBjdXJyZW50IG5vZGUgdXNh Z2UgY291bnRzLgoKV2hlbiBhIGRvbWFpbiBpcyB0b3JuIGRvd24sIHRoZSBu b2RlIGRhdGEgaXRzZWxmIGlzIGNsZWFuZWQgdXAgYnV0IHRoZSBub2RlCnVz YWdlIGNvdW50cyBhcmUgbm90LiAgQSBsYXRlciBkb21haW4gcmV1c2luZyB0 aGUgc2FtZSBkb21pZCBjYW4gY3JlYXRlIGZld2VyCm5vZGVzIGJlZm9yZSBi ZWluZyBkZWVtZWQgdG8gYmUgb3ZlciBxdW90YS4KClJlc2V0IHRoZSBjb3Vu dCB3aGVuIHRoZSBub2RlIHBlcm1pc3Npb25zIGFyZSBjbGVhbmVkIHVwLgoK VGhpcyBpcyBYU0EtNDgzIC8gQ1ZFLTIwMjYtMjM1NTYuCgpTaWduZWQtb2Zm LWJ5OiBBbmRyaWkgU3VsdGFub3YgPGFuZHJpeS5zdWx0YW5vdkB2YXRlcy50 ZWNoPgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v cGVyM0BjaXRyaXguY29tPgoKZGlmZiAtLWdpdCBhL294ZW5zdG9yZWQvc3Rv cmUubWwgYi9veGVuc3RvcmVkL3N0b3JlLm1sCmluZGV4IDNmMzkwMTU1YWJh Yy4uNTFkZjgxZTI0ZDY1IDEwMDY0NAotLS0gYS9veGVuc3RvcmVkL3N0b3Jl Lm1sCisrKyBiL294ZW5zdG9yZWQvc3RvcmUubWwKQEAgLTUxMCw3ICs1MTAs OCBAQCBsZXQgcmVzZXRfcGVybWlzc2lvbnMgc3RvcmUgZG9taWQgPQogICAg ICAgICAgICAgICAgIChOb2RlLmdldF9uYW1lIG5vZGUpIDsKICAgICAgICAg ICAgIFNvbWUge25vZGUgd2l0aCBOb2RlLnBlcm1zfQogICAgICAgKQotICAg ICAgc3RvcmUucm9vdAorICAgICAgc3RvcmUucm9vdCA7CisgIHN0b3JlLnF1 b3RhIDwtIFF1b3RhLmRlbCBzdG9yZS5xdW90YSBkb21pZAogCiB0eXBlIG9w cyA9IHsKICAgICBzdG9yZTogdAo= --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Apr 28 12:02:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Apr 2026 12:02:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1295659.1572426 (Exim 4.92) (envelope-from ) id 1wHh8d-0007zR-Ih; Tue, 28 Apr 2026 12:02:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1295659.1572426; Tue, 28 Apr 2026 12:02:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8d-0007v6-6e; Tue, 28 Apr 2026 12:02:03 +0000 Received: by outflank-mailman (input) for mailman id 1295659; Tue, 28 Apr 2026 12:02:00 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHh8a-0007VO-1O; Tue, 28 Apr 2026 12:02:00 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wHh8Z-00C4HC-Db; Tue, 28 Apr 2026 14:01:59 +0200 Received: from [10.42.69.10] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f0a1b2-bab6-0a2a0a5309dd-0a2a450ae9a4-12 for ; Tue, 28 Apr 2026 14:01:59 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-4011c0.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f0a1b5-56b3-0a2a450a0019-6882d725ccba-3 for ; Tue, 28 Apr 2026 14:01:59 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wHh8S-0064ap-1C; Tue, 28 Apr 2026 12:01:52 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wHh8S-006n4i-17; Tue, 28 Apr 2026 12:01:52 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver Message-Id: Date: Tue, 28 Apr 2026 12:01:52 +0000 X-purgate-ID: tlsNG-4011c0/1777377719-46D708B7-2E2A13BD/0/0 X-purgate-type: clean X-purgate-size: 6117 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-31787 / XSA-487 version 2 Linux kernel double free in Xen privcmd driver UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The Linux kernel's privcmd driver can be abused to circumvent kernel lockdown (secure boot) by causing a double free of kernel memory. Note that this operation can be performed by root only, so any further impact on the system (like denial of service) is not security relevant. IMPACT ====== An administrator of a domain booted in secure mode is able to perform actions on the kernel which should not be possible in secure mode. VULNERABLE SYSTEMS ================== Linux PVH or HVM domains (x86 or Arm) from kernel 3.8 onwards are vulnerable. PV domains or non-Linux domains are not vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Atharva Vartak (@0xAth4rv). RESOLUTION ========== Applying the attached patch resolves this issue. xsa487-linux.patch Linux $ sha256sum xsa487* fc7ccf9697203c14ced4364d70175b463b08a17a7559fd8654a12b623b54e5bb xsa487-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patch needs to be applied to the guest. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQUMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZKRkH/A2DLI9IzMFrmuzksitp7G+MD/AWq3jJe93IAeU1 /QguHV7pQXFyhb1zWR/+DB4zt5tAcGIs75enob8njm3HZ/e5Ht6aSlYq+Rl5ZO6w kK4aUljpRUxPTOg/PHPKn2sTkZccQxXGxmara5PwhZf0uXb0BBB33dhWbkxQoAR/ FzHSFNHvJKZct/fmmavE38R4AVel0GC3Ufi1jQ44l85xBWtmWN4+ioEno4tDqKkk d9fmRfCoPta2zCL8DezC3y/LC7x8bbLeL1CMFchnVW+JjJOON22K2R/12dvBFUOF If+HuBOHviA02fDW86H+sKTn/KnCI1jNjgUto9tCIkdyvSI= =NY86 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa487-linux.patch" Content-Disposition: attachment; filename="xsa487-linux.patch" Content-Transfer-Encoding: base64 RnJvbSA1NTc3YzAwMzAxOGFiYjFhZDkyZGM0MDMyY2M3MWIxNzE4YTgzZGZh IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKdWVyZ2VuIEdyb3Nz IDxqZ3Jvc3NAc3VzZS5jb20+CkRhdGU6IEZyaSwgMTAgQXByIDIwMjYgMDk6 MjA6MDQgKzAyMDAKU3ViamVjdDogW1BBVENIXSB4ZW4vcHJpdmNtZDogZml4 IGRvdWJsZSBmcmVlIHZpYSBWTUEgc3BsaXR0aW5nCgpwcml2Y21kX3ZtX29w cyBkZWZpbmVzIC5jbG9zZSAocHJpdmNtZF9jbG9zZSksIGJ1dCBuZWl0aGVy IC5tYXlfc3BsaXQKbm9yIC5vcGVuLiBXaGVuIHVzZXJzcGFjZSBkb2VzIGEg cGFydGlhbCBtdW5tYXAoKSBvbiBhIHByaXZjbWQgbWFwcGluZywKdGhlIGtl cm5lbCBzcGxpdHMgdGhlIFZNQSB2aWEgX19zcGxpdF92bWEoKS4gU2luY2Ug bWF5X3NwbGl0IGlzIE5VTEwsCnRoZSBzcGxpdCBpcyBhbGxvd2VkLiB2bV9h cmVhX2R1cCgpIGNvcGllcyB2bV9wcml2YXRlX2RhdGEgKGEgcGFnZXMKYXJy YXkgYWxsb2NhdGVkIGluIGFsbG9jX2VtcHR5X3BhZ2VzKCkpIGludG8gdGhl IG5ldyBWTUEgd2l0aG91dCBhbnkKZml4dXAsIGJlY2F1c2UgdGhlcmUgaXMg bm8gLm9wZW4gY2FsbGJhY2suCgpCb3RoIFZNQXMgbm93IHBvaW50IHRvIHRo ZSBzYW1lIHBhZ2VzIGFycmF5LiBXaGVuIHRoZSB1bm1hcHBlZCBwb3J0aW9u CmlzIGNsb3NlZCwgcHJpdmNtZF9jbG9zZSgpIGNhbGxzOgogICAgLSB4ZW5f dW5tYXBfZG9tYWluX2dmbl9yYW5nZSgpCiAgICAtIHhlbl9mcmVlX3VucG9w dWxhdGVkX3BhZ2VzKCkKICAgIC0ga3ZmcmVlKHBhZ2VzKQoKVGhlIHN1cnZp dmluZyBWTUEgc3RpbGwgaG9sZHMgdGhlIGRhbmdsaW5nIHBvaW50ZXIuIFdo ZW4gaXQgaXMgbGF0ZXIKZGVzdHJveWVkLCB0aGUgc2FtZSBzZXF1ZW5jZSBy dW5zIGFnYWluLCB3aGljaCBsZWFkcyB0byBhIGRvdWJsZSBmcmVlLgoKRml4 IHRoaXMgaXNzdWUgYnkgYWRkaW5nIGEgLm1heV9zcGxpdCBjYWxsYmFjayBk ZW55aW5nIHRoZSBWTUEgc3BsaXQuCgpUaGlzIGlzIFhTQS00ODcgLyBDVkUt MjAyNi0zMTc4NwoKRml4ZXM6IGQ3MWY1MTM5ODVjMiAoInhlbjogcHJpdmNt ZDogc3VwcG9ydCBhdXRvdHJhbnNsYXRlZCBwaHlzbWFwIGd1ZXN0cy4iKQpS ZXBvcnRlZC1ieTogQXRoYXJ2YSBWYXJ0YWsgPGF0aGFydmEuYS52YXJ0YWtA Z21haWwuY29tPgpTdWdnZXN0ZWQtYnk6IEF0aGFydmEgVmFydGFrIDxhdGhh cnZhLmEudmFydGFrQGdtYWlsLmNvbT4KU2lnbmVkLW9mZi1ieTogSnVlcmdl biBHcm9zcyA8amdyb3NzQHN1c2UuY29tPgpSZXZpZXdlZC1ieTogSmFuIEJl dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgotLS0KIGRyaXZlcnMveGVuL3By aXZjbWQuYyB8IDcgKysrKysrKwogMSBmaWxlIGNoYW5nZWQsIDcgaW5zZXJ0 aW9ucygrKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMveGVuL3ByaXZjbWQuYyBi L2RyaXZlcnMveGVuL3ByaXZjbWQuYwppbmRleCAxNWJhNTkyMjM2ZTguLjcy NWE0OWEwZWVlNyAxMDA2NDQKLS0tIGEvZHJpdmVycy94ZW4vcHJpdmNtZC5j CisrKyBiL2RyaXZlcnMveGVuL3ByaXZjbWQuYwpAQCAtMTYyMCw2ICsxNjIw LDEyIEBAIHN0YXRpYyB2b2lkIHByaXZjbWRfY2xvc2Uoc3RydWN0IHZtX2Fy ZWFfc3RydWN0ICp2bWEpCiAJa3ZmcmVlKHBhZ2VzKTsKIH0KIAorc3RhdGlj IGludCBwcml2Y21kX21heV9zcGxpdChzdHJ1Y3Qgdm1fYXJlYV9zdHJ1Y3Qg KmFyZWEsIHVuc2lnbmVkIGxvbmcgYWRkcikKK3sKKwkvKiBGb3JiaWQgc3Bs aXR0aW5nLCBhdm9pZHMgZG91YmxlIGZyZWUgdmlhIHByaXZjbWRfY2xvc2Uo KS4gKi8KKwlyZXR1cm4gLUVJTlZBTDsKK30KKwogc3RhdGljIHZtX2ZhdWx0 X3QgcHJpdmNtZF9mYXVsdChzdHJ1Y3Qgdm1fZmF1bHQgKnZtZikKIHsKIAlw cmludGsoS0VSTl9ERUJVRyAicHJpdmNtZF9mYXVsdDogdm1hPSVwICVseC0l bHgsIHBnb2ZmPSVseCwgdXY9JXBcbiIsCkBAIC0xNjMxLDYgKzE2MzcsNyBA QCBzdGF0aWMgdm1fZmF1bHRfdCBwcml2Y21kX2ZhdWx0KHN0cnVjdCB2bV9m YXVsdCAqdm1mKQogCiBzdGF0aWMgY29uc3Qgc3RydWN0IHZtX29wZXJhdGlv bnNfc3RydWN0IHByaXZjbWRfdm1fb3BzID0gewogCS5jbG9zZSA9IHByaXZj bWRfY2xvc2UsCisJLm1heV9zcGxpdCA9IHByaXZjbWRfbWF5X3NwbGl0LAog CS5mYXVsdCA9IHByaXZjbWRfZmF1bHQKIH07CiAKLS0gCjIuNTMuMAoK --=separator-- From xen-announce-bounces@lists.xenproject.org Tue Apr 28 18:06:04 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 28 Apr 2026 18:06:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1296644.1572971 (Exim 4.92) (envelope-from ) id 1wHmoS-0006cW-QA; Tue, 28 Apr 2026 18:05:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1296644.1572971; Tue, 28 Apr 2026 18:05:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHmoS-0006cG-JY; Tue, 28 Apr 2026 18:05:36 +0000 Received: by outflank-mailman (input) for mailman id 1296644; Tue, 28 Apr 2026 18:05:35 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wHmoR-0006bn-Qp; Tue, 28 Apr 2026 18:05:35 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wHmoR-00GyDs-1x; Tue, 28 Apr 2026 20:05:35 +0200 Received: from [10.42.69.9] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f0f6e5-2eae-0a2a0a5409dd-0a2a4509b6e4-12 for ; Tue, 28 Apr 2026 20:05:34 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-bad1c0.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f0f6ec-2497-0a2a45090019-6882d725cb18-3 for ; Tue, 28 Apr 2026 20:05:34 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wHmoL-006BvQ-0v; Tue, 28 Apr 2026 18:05:29 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wHmoL-007C43-0i; Tue, 28 Apr 2026 18:05:29 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 489 v1 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Message-Id: Date: Tue, 28 Apr 2026 18:05:29 +0000 X-purgate-ID: tlsNG-bad1c0/1777399534-42573A53-1A14A799/0/0 X-purgate-type: clean X-purgate-size: 3984 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486 / XSA-489 Multiple RBAC issues in XAPI ISSUE DESCRIPTION ================= XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write. IMPACT ====== An authenticated user already granted one of pool-operator, vm-power-admin or vm-admin can escalate their privilege to pool-admin. VULNERABLE SYSTEMS ================== Systems running all versions of XAPI are vulnerable. The vulnerability is only exposed if RBAC is configured for the pool, and certain users are assigned the not-fully-privileged administrator roles. MITIGATION ========== Disable any users (RBAC subjects) which have been configured with the vm-admin, vm-power-admin or pool-operator role. RESOLUTION ========== Fixes can be found in the following pull requests: https://github.com/xapi-project/xen-api/pull/7031 https://github.com/xapi-project/xen-api/pull/7032 https://github.com/xapi-project/xen-api/pull/7033 https://github.com/xapi-project/xen-api/pull/7039 NOTE REGARDING LACK OF EMBARGO ============================== These issues were disclosed in public. The researcher claimed 89 vulnerabilities. Analysis by the XAPI team concluded that only 5 were real vulnerabilities, with most being a failure to read the RBAC documentation, and several appearing to be AI hallucinations. The researcher also took active steps to prevent coordinated disclosure. Due to acting in bad faith, they are explicitly not credited. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnw9tkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgLUIAMgzABaje/RPPO7lwrp1ERZQhtqy/SPG2dYxE75a M6bytAbpj4Y9lgh8IB4QLXDSEfSgjWKxzSGcUi3DpvJI3uiQmSqvAE5XnfRfVHT/ h1eo0vQ3v8yz5++iiOl2Cq9Qvg9cvMFEXYz8X21+u63KlpOnXjUZ7VpYeRdrbCYs n6Id6QU4D/y+3EZne5Xs0JY6Dn8J8SM3ejNjP6OmMFJMoKgSf1nXarQhNcmgvR0G a+PRjUWgHAHqfdzjJsyBZLyNwPAQgUM2aDfPqGh8vr9YlE6sWwlxYEeSIGsWzAHu oE5iWmYq5O4FUTgf+1ye8PUNbGyzDsJCeGfWeAXvGobQ6aQ= =OEJh -----END PGP SIGNATURE----- --=separator-- From xen-announce-bounces@lists.xenproject.org Wed Apr 29 16:36:55 2026 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 29 Apr 2026 16:36:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1297562.1573519 (Exim 4.92) (envelope-from ) id 1wI7tk-0003q7-R8; Wed, 29 Apr 2026 16:36:28 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1297562.1573519; Wed, 29 Apr 2026 16:36:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI7tk-0003pz-Ne; Wed, 29 Apr 2026 16:36:28 +0000 Received: by outflank-mailman (input) for mailman id 1297562; Wed, 29 Apr 2026 16:36:28 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI7tk-0003pf-15; Wed, 29 Apr 2026 16:36:28 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wI7th-003Xgb-CU; Wed, 29 Apr 2026 18:36:26 +0200 Received: from [10.42.69.2] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f23381-2eae-0a2a0a5409dd-0a2a4502bf52-22 for ; Wed, 29 Apr 2026 18:36:26 +0200 Received: from [104.130.215.37] (helo=mail.xenproject.org) by tlsNG-720697.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f23389-af86-0a2a45020019-6882d725c50c-3 for ; Wed, 29 Apr 2026 18:36:26 +0200 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.96) (envelope-from ) id 1wI7tc-007jM9-2v; Wed, 29 Apr 2026 16:36:20 +0000 Received: from andrewcoop by xenbits.xenproject.org with local (Exim 4.96) (envelope-from ) id 1wI7tc-0088Ru-2i; Wed, 29 Apr 2026 16:36:20 +0000 X-BeenThere: xen-announce@lists.xenproject.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-announce-bounces@lists.xenproject.org Precedence: list Sender: "Xen-announce" Authentication-Results: eu.smtp.expurgate.cloud; none Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.510 (Entity 5.510) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team CC: Xen.org security team Subject: Xen Security Advisory 489 v2 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Message-Id: Date: Wed, 29 Apr 2026 16:36:20 +0000 X-purgate-ID: tlsNG-720697/1777480586-82F6E161-90DE8246/3/8721326451 X-purgate-type: bulk X-purgate-size: 4128 --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486 / XSA-489 version 2 Multiple RBAC issues in XAPI UPDATES IN VERSION 2 ==================== Fixes now merged and backported in XAPI. Refer to the tagged releases. ISSUE DESCRIPTION ================= XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write. IMPACT ====== An authenticated user already granted one of pool-operator, vm-power-admin or vm-admin can escalate their privilege to pool-admin. VULNERABLE SYSTEMS ================== Systems running all versions of XAPI are vulnerable. The vulnerability is only exposed if RBAC is configured for the pool, and certain users are assigned the not-fully-privileged administrator roles. MITIGATION ========== Disable any users (RBAC subjects) which have been configured with the vm-admin, vm-power-admin or pool-operator role. RESOLUTION ========== Fixes in XAPI have been merged and backported. They are available in the following releases: https://github.com/xapi-project/xen-api/releases/tag/v26.12.0 https://github.com/xapi-project/xen-api/releases/tag/v26.1.11 NOTE REGARDING LACK OF EMBARGO ============================== These issues were disclosed in public. The researcher claimed 89 vulnerabilities. Analysis by the XAPI team concluded that only 5 were real vulnerabilities, with most being a failure to read the RBAC documentation, and several appearing to be AI hallucinations. The researcher also took active steps to prevent coordinated disclosure. Due to acting in bad faith, they are explicitly not credited. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnyM2sMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZwPUIAMWaoFOOukhaMwGj+r6+k2lKvYhkYjbstVUrSTp2 PVZ17/xezOg/rHotBTdixWDVsztoJcw/pm/hRAcYqSJJ5+aYVrVzNOpVRRuFf2uK p8Lkjmk/15MeDy68pEeIkoJEpdAdTsJvY5anHB0OtUug/NzmiDUDvcJbsBfAmEHS pzeQAVoKICy4Z1/EWbKNofq+ja4gMEJDvNdM51jY9LUnOuNWgdP24Tjk9DjuZ3jz TfWjpbrtEG7RgU0hgsZhsFMxzVh3JZPPIAkqLkZJouDH7SpRZe3t3AIPY5eUw80w x94wdIJoiTS2FAEEyIRs7aa+DqyvLVhHhqJmMfHRl8/6KbA= =ye+c -----END PGP SIGNATURE----- --=separator--