Bug 2479868 (CVE-2026-23558)

Summary: CVE-2026-23558 xen: Xen: Privilege escalation or denial of service due to race condition in grant table version change
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Xen. A race condition exists when a Hardware Virtual Machine (HVM) or Para-Virtualization Hybrid (PVH) guest changes its grant table version from v2 to v1 while simultaneously mapping status pages. This can lead to some status pages being freed while still mapped in the guest's secondary page tables, potentially allowing a malicious guest to achieve privilege escalation or cause a denial of service on the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2483743    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-19 14:03:18 UTC 
The adjustments made for XSA-379 as well as those subsequently becoming
XSA-387 still left a race window, when a HVM or PVH guest does a grant
table version change from v2 to v1 in parallel with mapping the status
page(s) via XENMEM_add_to_physmap.  Some of the status pages may then be
freed while mappings of them would still be inserted into the guest's
secondary (P2M) page tables.