Citrix Xen Virtualization Software

By the Year

In 2026 there have been 10 vulnerabilities in Citrix Xen with an average score of 6.9 out of ten. Last year, in 2025 Citrix Xen had 9 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 1.04

Recent Citrix Xen Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-42488	Jun 18, 2026	XEN Hypervisor vCPU Page-Table Switch Flaw Mapcache Corruption Some shadow paging errors paths will switch the page-tables without updating the currently running vCPU reference. This causes a mismatch between the loaded page-tables and the mapcache metadata which can lead to corruption of the mapcache.	Xen
CVE-2026-42490	Jun 18, 2026	Xen Hypervisor domctl Lock Pre-Check Vulnerability [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.	Xen
CVE-2026-42489	Jun 18, 2026	Xen Hypervisor Domain Lock Fairness Vulnerability (CVE-2026-42489) [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.	Xen
CVE-2026-42487	Jun 18, 2026	Xen Hypervisor I/O Port Access Race Condition HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far.	Xen
CVE-2026-23558	May 19, 2026	Race Condition in Xen Hypervisor P2M Mapping (XSA-379/387) The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.	Xen
CVE-2026-23557	May 19, 2026	XEN xenstored crash via XS_RESET_WATCHES Assert Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen.	Xen
CVE-2026-23555	Mar 23, 2026	Xenstored DoS via illegal /local/domain/ node path Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.	Xen
CVE-2026-23554	Mar 23, 2026	Intel EPT Paging Defer Flush Falter Enables Guest Memory Leak in XEN The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.	Xen
CVE-2026-23553	Jan 28, 2026	Xen Hypervisor Skipped IBPB During vCPU Context Switches In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.	Xen
CVE-2025-58150	Jan 28, 2026	Xen Hypervisor CVE-2025-58150: OOB Write to Per-CPU Var in Shadow Mode Tracing Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.	Xen