Information
| Advisory | XSA-487 |
|---|
| Public release | 2026-04-28 12:00 |
|---|
| Updated | 2026-04-28 12:01 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2026-31787 |
|---|
| Title | Linux kernel double free in Xen privcmd driver |
|---|
Files
advisory-487.txt (signed advisory file)
xsa487-linux.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2026-31787 / XSA-487
version 2
Linux kernel double free in Xen privcmd driver
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The Linux kernel's privcmd driver can be abused to circumvent kernel
lockdown (secure boot) by causing a double free of kernel memory.
Note that this operation can be performed by root only, so any
further impact on the system (like denial of service) is not security
relevant.
IMPACT
======
An administrator of a domain booted in secure mode is able to perform
actions on the kernel which should not be possible in secure mode.
VULNERABLE SYSTEMS
==================
Linux PVH or HVM domains (x86 or Arm) from kernel 3.8 onwards are
vulnerable.
PV domains or non-Linux domains are not vulnerable.
MITIGATION
==========
There is no mitigation available.
CREDITS
=======
This issue was discovered by Atharva Vartak (@0xAth4rv).
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa487-linux.patch Linux
$ sha256sum xsa487*
fc7ccf9697203c14ced4364d70175b463b08a17a7559fd8654a12b623b54e5bb xsa487-linux.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List). Specifically, deployment on public cloud systems
is NOT permitted.
This is because the patch needs to be applied to the guest.
Deployment is permitted only AFTER the embargo ends.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQUMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZKRkH/A2DLI9IzMFrmuzksitp7G+MD/AWq3jJe93IAeU1
/QguHV7pQXFyhb1zWR/+DB4zt5tAcGIs75enob8njm3HZ/e5Ht6aSlYq+Rl5ZO6w
kK4aUljpRUxPTOg/PHPKn2sTkZccQxXGxmara5PwhZf0uXb0BBB33dhWbkxQoAR/
FzHSFNHvJKZct/fmmavE38R4AVel0GC3Ufi1jQ44l85xBWtmWN4+ioEno4tDqKkk
d9fmRfCoPta2zCL8DezC3y/LC7x8bbLeL1CMFchnVW+JjJOON22K2R/12dvBFUOF
If+HuBOHviA02fDW86H+sKTn/KnCI1jNjgUto9tCIkdyvSI=
=NY86
-----END PGP SIGNATURE-----
Xenproject.org Security Team