Description
[This CNA information record relates to multiple CVEs; the
text explains which aspects/vulnerabilities correspond to which CVE.]

To create and manage guests, domctl operations are used by the control
domain, a possible Xenstore domain, or by a domain controlling a
particular guest. Some of these operations may not be executed in
parallel, so a system-wide lock is used. The way that lock is acquired
is, however, not providing any fairness. This is CVE-2026-42489.

Furthermore, with XSM/Flask in use, the lock acquire will, for some
operations, occur ahead of any permission checking. This is
CVE-2026-42490.
Published: 2026-06-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the domctl operation lock mechanism used by the Xen hypervisor to coordinate guest creation and management. Because the lock acquisition does not enforce fairness and, when XSM/Flask is enabled, the lock is taken before permission checks for certain operations, an attacker with control of the control domain or a domain with access to domctl can acquire the lock ahead of the security policy. This allows the attacker to perform privileged operations—such as starting, stopping, or modifying other guests—without proper authorization, effectively escalating privileges and potentially causing disruption.

Affected Systems

Xen hypervisor hosts that run domctl operations, particularly those enabled for XSM/Flask security monitoring. The issue is relevant to any Xen installation where the hypervisor’s domctl lock is used without fairness, including standard Xen configurations that manage virtual machines.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity risk. The EPSS score is not available, so the current predicted exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need local or privileged access to the control domain and to execute domctl commands; with XSM/Flask enabled, the lack of fairness in lock acquisition can allow the attacker to preempt permission checks and gain unauthorized control over guest VMs.

Generated by OpenCVE AI on June 18, 2026 at 18:29 UTC.

Remediation

Vendor Workaround

There is no known mitigation.

OpenCVE Recommended Actions

  • Install the latest Xen hypervisor update that addresses CVE-2026-42490
  • Verify that XSM/Flask permission checks are enabled and that the lock acquisition order is correct for domctl operations
  • Monitor system logs for unauthorized domctl activity and configure alerts for unexpected guest management changes

Generated by OpenCVE AI on June 18, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.
Title domctl lock open to abuse
Weaknesses CWE-667
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: XEN

Published:

Updated: 2026-06-18T15:04:50.692Z

Reserved: 2026-04-27T14:20:24.139Z

Link: CVE-2026-42490

cve-icon Vulnrichment

Updated: 2026-06-18T15:04:10.498Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses