Description
The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only issue a single flush.

Freeing of paging structures however is not deferred until the flushing is
done, and can result in freed pages transiently being present in cached state.
Such stale entries can point to memory ranges not owned by the guest, thus
allowing access to unintended memory regions.
Published: 2026-03-23
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via unintended memory access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in the Intel EPT paging code within the Xen hypervisor, where an optimization defers flushing of cached EPT state until after the p2m lock is released. Because freeing paging structures is not deferred until the flush occurs, stale cache entries can temporarily reference memory ranges that the guest does not own. This use‑after‑free condition allows a guest to read or write memory regions it should not have access to, potentially exposing hypervisor data or data belonging to other guests. The weakness corresponds to CWE‑367 and constitutes a serious compromise of integrity and confidentiality for the host environment.

Affected Systems

The affected product is the Xen hypervisor. No specific version information is provided, indicating that the issue may be present wherever the vulnerable EPT paging code is present. Administrators should verify their Xen version and refer to Xenbits XSA advisory 480 for details.

Risk and Exploitability

The CVSS score of 7.8 denotes high severity, but the EPSS score of less than 1% suggests low likelihood of exploitation at present. Because the flaw requires interaction with a guest that can manipulate its memory, the attack vector is likely local, via malicious guest code that can trigger the use‑after‑free. No evidence of exploitation exists in the KEV catalog. Once a patch is released, elevated privileges could be obtained by an attacker with guest access, making this a critical issue for systems that rely on Xen for virtualization.

Generated by OpenCVE AI on March 23, 2026 at 16:22 UTC.

Remediation

Vendor Workaround

There are no mitigations.

OpenCVE Recommended Actions

  • Verify the Xen hypervisor version in use and cross‑check it against the Xenbits XSA advisory 480 for any patched releases.
  • Review the Xen project’s security updates and install the latest hypervisor version that includes the EPT paging fix as soon as it becomes available.
  • If a patched release is not yet available and the environment cannot be upgraded, be aware that no mitigation is currently offered; at minimum, keep the hypervisor idle and isolate it from untrusted guest workloads until a fix is applied.
  • Consider disabling EPT if your workload can tolerate the performance impact and the hypervisor does not support the required use‑case, as this may avoid the use‑after‑free path until a patch is applied.

Generated by OpenCVE AI on March 23, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Xen
Xen xen
Vendors & Products Xen
Xen xen

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
References

Mon, 23 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
Title Use after free of paging structures in EPT
References

Subscriptions

Xen Xen
cve-icon MITRE

Status: PUBLISHED

Assigner: XEN

Published:

Updated: 2026-03-23T14:19:27.752Z

Reserved: 2026-01-14T13:07:36.961Z

Link: CVE-2026-23554

cve-icon Vulnrichment

Updated: 2026-03-23T07:32:25.539Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T07:16:07.200

Modified: 2026-04-10T20:40:33.287

Link: CVE-2026-23554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:34Z

Weaknesses