Description
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
Published: 2026-06-18
Score: 7.9 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing synchronization while traversing the linked list used for HVM guest I/O port translations in the Xen hypervisor. When a guest performs port accesses, the list may be concurrently updated, creating a race condition that can result in the hypervisor following stale or invalid pointers. This flaw may allow a malicious HVM guest to cause host crashes, recover sensitive memory contents, or otherwise degrade system integrity. The weakness is identified as CWE-362, a classic race condition.

Affected Systems

All Xen hypervisor installations that support x86 HVM guests are potentially affected. No explicit product version is listed, so any Xen build that implements the XEN_DOMCTL_ioport_mapping mechanism for I/O port translation is at risk.

Risk and Exploitability

The CVSS score of 7.9 places this flaw in the high severity category. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires a malicious HVM guest to orchestrate concurrent port accesses and list updates; the description infers that such a race can be triggered by carefully timed I/O operations. While the exploit conditions are not trivial, the potential impact on confidentiality, integrity, and availability makes the risk significant for environments running unmodified Xen hypervisors.

Generated by OpenCVE AI on June 18, 2026 at 18:30 UTC.

Remediation

Vendor Workaround

Running only PV or PVH guests will avoid the vulnerability. (Switching from a device model stub domain or a de-privileged device model to a fully privileged Dom0 device model does NOT mitigate this vulnerability. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". The security of a Xen system using stub domains is still better than with a qemu-dm running as a Dom0 process. Users and vendors of stub qemu dm systems should not change their configuration to use a Dom0 qemu process.)

OpenCVE Recommended Actions

  • Run only PV or PVH guests to avoid the vulnerability
  • Check for and install any Xen hypervisor patch that addresses the missing synchronization
  • Avoid using a qemu-dm process as a Dom0 process; prefer stub domains if available

Generated by OpenCVE AI on June 18, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description HVM guest I/O port accesses are subject to either emulation or at least translation. Translations are managed by the device model (via XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed at any time. Traversal of those lists (while handling guest I/O port accesses) therefore needs synchronizing with updates, which was missing so far.
Title x86 HVM I/O port list traversal
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: XEN

Published:

Updated: 2026-06-18T15:07:31.335Z

Reserved: 2026-04-27T14:20:24.138Z

Link: CVE-2026-42487

cve-icon Vulnrichment

Updated: 2026-06-18T15:07:31.335Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:45:03Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')