Citrix Xen Citrix Xen Virtualization Software

  1. Vendors
  2. Citrix Xen

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Citrix Xen product.

RSS Feeds for Citrix Xen security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Citrix Xen products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Citrix Xen Sorted by Most Security Vulnerabilities since 2018

Citrix Xen Xen242 vulnerabilities

Citrix Xen Xapi2 vulnerabilities

By the Year

In 2026 there have been 6 vulnerabilities in Citrix Xen with an average score of 6.8 out of ten. Last year, in 2025 Citrix Xen had 9 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Citrix Xen in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.09




Year Vulnerabilities Average Score
2026 6 6.82
2025 9 7.91
2024 19 5.72
2023 14 6.75
2022 57 6.53
2021 27 6.96
2020 44 6.56
2019 25 0.00
2018 27 7.72

It may take a day or so for new Citrix Xen vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Citrix Xen Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-23558 May 19, 2026
Race Condition in Xen Hypervisor P2M Mapping (XSA-379/387) The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.
Xen
CVE-2026-23557 May 19, 2026
XEN xenstored crash via XS_RESET_WATCHES Assert Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen.
Xen
CVE-2026-23555 Mar 23, 2026
Xenstored DoS via illegal /local/domain/ node path Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.
Xen
CVE-2026-23554 Mar 23, 2026
Intel EPT Paging Defer Flush Falter Enables Guest Memory Leak in XEN The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
Xen
CVE-2026-23553 Jan 28, 2026
Xen Hypervisor Skipped IBPB During vCPU Context Switches In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
Xen
CVE-2025-58150 Jan 28, 2026
Xen Hypervisor CVE-2025-58150: OOB Write to Per-CPU Var in Shadow Mode Tracing Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.
Xen
CVE-2025-58149 Oct 31, 2025
Xen libxl PCI 64bit BAR Permission Leak on Detach When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m.
Xen
CVE-2025-58147 Oct 31, 2025
Xen Hypervisor OOB Error in HV_VP_SET Sparse Hypercall [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.
Xen
CVE-2025-58148 Oct 31, 2025
Xen Hypervisor OOB read/write via vCPU mask hypercalls [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.
Xen
CVE-2025-58145 Sep 11, 2025
Xen Hypervisor: P2M Lock Race Allows Domain Boundary Violation (CVE-2025-58145) [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145.
Xen
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.