CVE-2026-23554 - Vulnerability Details

- Use after free of paging structures in EPT

Description

The Intel EPT paging code uses an optimization to defer flushing of any cached
EPT state until the p2m lock is dropped, so that multiple modifications done
under the same locked region only issue a single flush.

Freeing of paging structures however is not deferred until the flushing is
done, and can result in freed pages transiently being present in cached state.
Such stale entries can point to memory ranges not owned by the guest, thus
allowing access to unintended memory regions.

Published: 2026-03-23

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises because the Intel EPT paging code defers flushing of cached EPT entries until the p2m lock is released, while freeing of paging structures occurs immediately. This mismatch can leave freed memory pages in a stale cached state, and the stale entries may reference memory ranges that are no longer owned by the victim guest. A malicious guest can trigger this behavior to read or potentially write to host memory outside of its designated area, effectively creating a use‑after‑free condition (CWE‑367).

Affected Systems

The flaw targets Xen hypervisor installations running on x86 hardware, as indicated by the associated CPE string. No specific Xen version numbers are provided in the CNA data, so all Xen deployments on x86 should be treated as potentially vulnerable until a vendor patch is released.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS metric of <1 % suggests the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation would most likely originate from code running inside a guest that forces the deferred flush while freeing paging structures. Successful exploitation could compromise host confidentiality, integrity, or availability if the attacker can read or overwrite shared memory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Xen

unknown

Version	Status	Constraints
`consult Xen advisory XSA-480`	unknown	—

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*

No data.

Vendor Product Confidence Versions

Xen

100%

Version	Status	Scheme	Platform
`consult Xen advisory XSA-480`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

There are no mitigations.

OpenCVE Recommended Actions

Monitor Xen logs for abnormal memory errors or crashes that could indicate use‑after‑free activity.
Restrict guest workloads to trusted, hardened images and avoid allowing arbitrary code execution within guests.
Keep the Xen hypervisor updated to the latest stable releases from the vendor once a patch for this vulnerability is published.
Enforce strict isolation and network segmentation between guests and the hypervisor to limit potential lateral movement.

Generated by OpenCVE AI on April 10, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/17/6
http://xenbits.xen.org/xsa/advisory-480.html
https://xenbits.xenproject.org/xsa/advisory-480.html

History

Fri, 10 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:xen:xen:::::::x86:*

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xen Xen xen
Vendors & Products		Xen Xen xen

Mon, 23 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/17/6 http://xenbits.xen.org/xsa/advisory-480.html

Mon, 23 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
Title		Use after free of paging structures in EPT
References		https://xenbits.xenproject.org/xsa/advisory-480.html

Subscriptions

Xen Xen

MITRE

Status: PUBLISHED

Assigner: XEN

Published: 2026-03-23T06:56:52.344Z

Updated: 2026-03-23T14:19:27.752Z

Reserved: 2026-01-14T13:07:36.961Z

Link: CVE-2026-23554

Vulnrichment

Updated: 2026-03-23T07:32:25.539Z

NVD

Status : Analyzed

Published: 2026-03-23T07:16:07.200

Modified: 2026-04-10T20:40:33.287

Link: CVE-2026-23554

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T14:28:22Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object