-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-31787 / XSA-487 version 2 Linux kernel double free in Xen privcmd driver UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The Linux kernel's privcmd driver can be abused to circumvent kernel lockdown (secure boot) by causing a double free of kernel memory. Note that this operation can be performed by root only, so any further impact on the system (like denial of service) is not security relevant. IMPACT ====== An administrator of a domain booted in secure mode is able to perform actions on the kernel which should not be possible in secure mode. VULNERABLE SYSTEMS ================== Linux PVH or HVM domains (x86 or Arm) from kernel 3.8 onwards are vulnerable. PV domains or non-Linux domains are not vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Atharva Vartak (@0xAth4rv). RESOLUTION ========== Applying the attached patch resolves this issue. xsa487-linux.patch Linux $ sha256sum xsa487* fc7ccf9697203c14ced4364d70175b463b08a17a7559fd8654a12b623b54e5bb xsa487-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patch needs to be applied to the guest. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnwoQUMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZKRkH/A2DLI9IzMFrmuzksitp7G+MD/AWq3jJe93IAeU1 /QguHV7pQXFyhb1zWR/+DB4zt5tAcGIs75enob8njm3HZ/e5Ht6aSlYq+Rl5ZO6w kK4aUljpRUxPTOg/PHPKn2sTkZccQxXGxmara5PwhZf0uXb0BBB33dhWbkxQoAR/ FzHSFNHvJKZct/fmmavE38R4AVel0GC3Ufi1jQ44l85xBWtmWN4+ioEno4tDqKkk d9fmRfCoPta2zCL8DezC3y/LC7x8bbLeL1CMFchnVW+JjJOON22K2R/12dvBFUOF If+HuBOHviA02fDW86H+sKTn/KnCI1jNjgUto9tCIkdyvSI= =NY86 -----END PGP SIGNATURE-----