Xen Hypervisor I/O Port Access Race Condition
CVE-2026-42487 Published on June 18, 2026
x86 HVM I/O port list traversal
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
Vulnerability Analysis
CVE-2026-42487 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Race Condition Vulnerability?
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CVE-2026-42487 has been classified to as a Race Condition vulnerability or weakness.
Products Associated with CVE-2026-42487
Want to know whenever a new CVE is published for Citrix Xen Xen? stack.watch will email you.
