Information
| Advisory | XSA-486 |
|---|
| Public release | 2026-04-28 12:00 |
|---|
| Updated | 2026-04-28 12:01 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2026-23558 |
|---|
| Title | grant table v2 race in status page mapping |
|---|
Files
advisory-486.txt (signed advisory file)
xsa486.patch
xsa486-4.18.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2026-23558 / XSA-486
version 2
grant table v2 race in status page mapping
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The adjustments made for XSA-379 as well as those subsequently becoming
XSA-387 still left a race window, when a HVM or PVH guest does a grant
table version change from v2 to v1 in parallel with mapping the status
page(s) via XENMEM_add_to_physmap. Some of the status pages may then be
freed while mappings of them would still be inserted into the guest's
secondary (P2M) page tables.
IMPACT
======
Privilege escalation, information leaks, and Denial of Service (DoS) up
to affecting the entire host cannot be excluded.
VULNERABLE SYSTEMS
==================
All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and
older are not affected.
Only x86 HVM and PVH guests permitted to use grant table version 2
interfaces can leverage this vulnerability. x86 PV guests cannot
leverage this vulnerability. On Arm, grant table v2 use is explicitly
unsupported.
MITIGATION
==========
Using the "gnttab=max-ver:1" hypervisor command line option will avoid
the vulnerability.
Using the "max_grant_version=1" guest configuration option for HVM and PVH
guests will also avoid the vulnerability.
CREDITS
=======
This issue was discovered by Claude Opus 4.6 and diagnosed as a security
issue by Rafal Wojtczuk.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa486.patch xen-unstable - Xen 4.19.x
xsa486-4.18.patch Xen 4.18.x - Xen 4.17.x
$ sha256sum xsa486*
0bc1336f0d8de463e30a920bb900b0199a79b4cc19af72e64cfb60504fa6599d xsa486.patch
3fa23326a2761eba62e661fa052c1cd6b69041ea6752ed573ab240ebcdffedf8 xsa486-4.18.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on public-
facing systems with untrusted guest users and administrators.
HOWEVER, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List). Specifically, deployment on public cloud systems
is NOT permitted.
This is because restricting the available grant table version is a guest
visible configuration change, which may lead to re-discovery of the issue.
Deployment of this mitigation is permitted only AFTER the embargo ends.
AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZKXgH/1/L4sRCjLuuwnugfhgcfYdOwFfWEsBGhxsuYTHT
61mqh8Ft4asiPf0qSUJzcWCpfKCB8aGBAEWDj7Hle+yAgYZ22Inf4j2emfcehXiu
hkKJ+2VgYs0C4xK1mOrPysxXha9pbyNvEHBJP794QitUYIzuJzeNAcKPmzR10rZ3
jEpyLC41sGiftIB/jq579Mrvz2cp02l2L77+zeWogl7ZMLPs+GbRoF1chTrIo9DU
Rt9WJnF7hD+elk280nwO2N6OCgrEVRmSR6AjsGb3E6JGUmZYJ6ZTtEaV+2TBiCXH
rfrJGwftJLp6a54RRDPjK709itzppJGPG/ur2rrIRxenRcY=
=1e9B
-----END PGP SIGNATURE-----
Xenproject.org Security Team