Xen Hypervisor Domain Lock Fairness Vulnerability (CVE-2026-42489)
CVE-2026-42489 Published on June 18, 2026

domctl lock open to abuse
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.

NVD

Vulnerability Analysis

CVE-2026-42489 can be exploited with local system access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

Improper Locking

The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.


Products Associated with CVE-2026-42489

Want to know whenever a new CVE is published for Citrix Xen Xen? stack.watch will email you.

Citrix Xen Xen
 

Affected Versions

Xen Version consult Xen advisory XSA-492 is unknown by CVE-2026-42489