Description
In the context switch logic Xen attempts to skip an IBPB in the case of
a vCPU returning to a CPU on which it was the previous vCPU to run.
While safe for Xen's isolation between vCPUs, this prevents the guest
kernel correctly isolating between tasks. Consider:

1) vCPU runs on CPU A, running task 1.
2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.
3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.
4) vCPU moves back to CPU A. Xen skips IBPB again.

Now, task 2 is running on CPU A with task 1's training still in the BTB.
Published: 2026-01-28
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Speculative Execution Leakage
Action: Enable Spec-ctrl
AI Analysis

Impact

The vulnerability stems from Xen's context switch logic skipping an IBPB when a virtual CPU returns to a physical processor it previously occupied. This omission means the guest kernel cannot fully purge the Branch Target Buffer state between tasks on the same virtual CPU, creating a speculative execution leakage channel. Based on the description, it is inferred that a malicious process running in one user task could exploit leftover BTB state to read data generated by another task that previously ran on the same virtual CPU.

Affected Systems

All Xen hypervisors operating on Intel x86 architectures are affected, as the flaw resides in Xen's default IBPB handling. The advisory indicates that the workaround of specifying spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv on the Xen command line activates the SRSO mitigation on non‑SRSO‑vulnerable hardware, although this introduces significant performance overhead.

Risk and Exploitability

The CVSS score of 2.9 denotes moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. The attack requires a guest with sufficient privileges to run multiple tasks on the same virtual CPU and to perform speculative execution reading, but no additional host privileges are needed. Consequently, the threat to confidentiality is measurable yet limited, with exploitation unlikely unless an attacker can orchestrate tasks within a compromised guest.

Generated by OpenCVE AI on April 18, 2026 at 14:41 UTC.

Remediation

Vendor Workaround

Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it is a large overhead.

OpenCVE Recommended Actions

  • Launch Xen with the spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv option to activate the IBPB mitigation, accepting the performance overhead it introduces.
  • If possible, bind individual virtual CPUs to dedicated virtual machines or disable vCPU migration to reduce BTB carry‑over between tasks.
  • Apply any Xen update that includes a patch for the IBPB skipping bug when it becomes available.
  • As a temporary measure, restrict untrusted guests from executing multiple concurrent tasks or isolate them in separate VMs to mitigate cross‑task leakage.

Generated by OpenCVE AI on April 18, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Xen
Xen xen
Vendors & Products Xen
Xen xen

Wed, 28 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-693
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
Description In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
Title x86: incomplete IBPB for vCPU isolation
References

Subscriptions

Xen Xen
cve-icon MITRE

Status: PUBLISHED

Assigner: XEN

Published:

Updated: 2026-01-28T16:41:14.803Z

Reserved: 2026-01-14T13:07:36.961Z

Link: CVE-2026-23553

cve-icon Vulnrichment

Updated: 2026-01-28T16:12:31.841Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T16:16:16.853

Modified: 2026-02-09T18:46:17.720

Link: CVE-2026-23553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses