{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23554", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2026-01-14T13:07:36.961Z", "datePublished": "2026-03-23T06:56:52.344Z", "dateUpdated": "2026-03-23T07:32:25.539Z"}, "containers": {"cna": {"title": "Use after free of paging structures in EPT", "datePublic": "2026-03-17T12:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-480"}]}], "configurations": [{"lang": "en", "value": "Xen 4.17 and onwards are vulnerable. Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."}], "workarounds": [{"lang": "en", "value": "There are no mitigations."}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Roger Pau Monn\u00e9 of XenServer."}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-480.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2026-03-23T06:56:52.344Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"}, {"url": "http://xenbits.xen.org/xsa/advisory-480.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-23T07:32:25.539Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}], "id": "CVE-2026-23554", "lastModified": "2026-03-23T08:16:16.350", "metrics": {}, "published": "2026-03-23T07:16:07.200", "references": [{"source": "security@xen.org", "url": "https://xenbits.xenproject.org/xsa/advisory-480.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/17/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://xenbits.xen.org/xsa/advisory-480.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Received"}

{}

{}