Intel EPT Paging Defer Flush Falter Enables Guest Memory Leak in XEN
CVE-2026-23554 Published on March 23, 2026
Use after free of paging structures in EPT
The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only issue a single flush.
Freeing of paging structures however is not deferred until the flushing is
done, and can result in freed pages transiently being present in cached state.
Such stale entries can point to memory ranges not owned by the guest, thus
allowing access to unintended memory regions.
Vulnerability Analysis
CVE-2026-23554 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a TOCTTOU Vulnerability?
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.
CVE-2026-23554 has been classified to as a TOCTTOU vulnerability or weakness.
Products Associated with CVE-2026-23554
Want to know whenever a new CVE is published for Citrix Xen Xen? stack.watch will email you.
Affected Versions
Xen Version consult Xen advisory XSA-480 is unknown by CVE-2026-23554Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.