Description
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]

To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.

Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Domctl operations in Xen use a system‑wide lock to serialize sensitive actions such as creating or destroying guests. The admission control for this lock does not enforce fairness, allowing a single domain to repeatedly acquire and hold the lock. An attacker controlling such a domain can monopolise the lock, starving other domains and the control domain itself of critical operations, effectively causing a denial of service.

Affected Systems

The vulnerability affects the Xen hypervisor product across all versions where the described locking mechanism is present. No specific version ranges are listed in the advisory, so any deployment of Xen with domctl operations may be impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity; EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector would be local to the hypervisor; a malicious domain or administrator with control over domctl can abuse the lock. Because no patch or workaround exists, the primary mitigation is to guard the hypervisor heavily and monitor for updates until a fix is released.

Generated by OpenCVE AI on June 18, 2026 at 18:30 UTC.

Remediation

Vendor Workaround

There is no known mitigation.

OpenCVE Recommended Actions

  • Apply any Xen hypervisor patch or update once available that addresses the lock fairness issue.
  • Monitor Xen project advisories and security mailing lists for new patches or mitigations, and verify deployment of updates promptly.
  • Restrict access to domctl operations to a minimal set of privileged domains or administrators, reducing the opportunity for abuse.
  • If using XSM/Flask, ensure that permission checks are performed before performing domctl operations where possible, or consider disabling or limiting operations that acquire locks prior to permission checks.

Generated by OpenCVE AI on June 18, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.
Title domctl lock open to abuse
Weaknesses CWE-667
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: XEN

Published:

Updated: 2026-06-18T15:04:32.591Z

Reserved: 2026-04-27T14:20:24.139Z

Link: CVE-2026-42489

cve-icon Vulnrichment

Updated: 2026-06-18T15:04:23.189Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses