CVE-2026-23553

Published Jan 28, 2026

Last updated 3 months ago

CVSS low 2.9

Overview

Description
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
Source
security@xen.org
NVD status
Analyzed
Products
xen

Risk scores

CVSS 3.1

Type
Secondary
Base score
2.9
Impact score
1.4
Exploitability score
1.4
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
LOW

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-665

Social media

Hype score
Not currently trending

  1. ๐Ÿšจ Attention System Administrators & DevOps Teams! ๐Ÿšจ Mageia has released a critical security update, MGASA-2026-0026, patching two high-severity Xen hypervisor vulnerabilities (CVE-2025-58150 & CVE-2026-23553). Read more: ๐Ÿ‘‰ https://t.co/yZg1dIbOrU #Security https

    @Cezar_H_Linux

    30 Jan 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. URGENT: #openSUSE Leap 15.6 users must patch Xen hypervisor vulnerabilities CVE-2025-58150 (buffer overrun) and CVE-2026-23553 (incomplete IBPB). Read more: ๐Ÿ‘‰ https://t.co/vGoK29zDFU #Security https://t.co/IgMwGkuP5z

    @Cezar_H_Linux

    28 Jan 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 3 new Xen Security Advisories https://t.co/O4qDUqCDdd 477 CVE-2025-58150 x86: buffer overrun with shadow paging + tracing 478 CVE-2025-58151 varstored: TOCTOU issues with mapped guest memory 479 CVE-2026-23553 x86: incomplete IBPB for vCPU isolation

    @oss_security

    28 Jan 2026

    558 Impressions

    1 Retweet

    7 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2026-23553 x86: incomplete IBPB for vCPU isolation CVE-2025-58151 varstored: TOCTOU issues with mapped guest memory CVE-2025-58150 x86: buffer overrun with shadow paging + tracing Xen Security Advisories https://t.co/aGhjl6MOAL

    @autumn_good_35

    27 Jan 2026

    296 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables.โ€ขCVE-2026-23558
  2. Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen.โ€ขCVE-2026-23557
  3. Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get.โ€ขCVE-2026-23555
  4. The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.โ€ขCVE-2026-23554
  5. Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing.โ€ขCVE-2025-58150

References

Sources include official advisories and independent security research.