CVE-2026-23554

{"id": "CVE-2026-23554", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}]}, "published": "2026-03-23T07:16:07.200", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-480.html", "tags": ["Patch", "Vendor Advisory"], "source": "security@xen.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://xenbits.xen.org/xsa/advisory-480.html", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}, {"lang": "es", "value": "El c\u00f3digo de paginaci\u00f3n EPT de Intel utiliza una optimizaci\u00f3n para aplazar el vaciado de cualquier estado EPT en cach\u00e9 hasta que se libere el bloqueo p2m, de modo que m\u00faltiples modificaciones realizadas bajo la misma regi\u00f3n bloqueada solo emitan un \u00fanico vaciado.\n\nLa liberaci\u00f3n de estructuras de paginaci\u00f3n, sin embargo, no se aplaza hasta que se complete el vaciado, y puede resultar en que las p\u00e1ginas liberadas est\u00e9n transitoriamente presentes en estado de cach\u00e9. Dichas entradas obsoletas pueden apuntar a rangos de memoria no pose\u00eddos por el invitado, permitiendo as\u00ed el acceso a regiones de memoria no intencionadas."}], "lastModified": "2026-04-10T20:40:33.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "vulnerable": true, "matchCriteriaId": "1B149544-81AE-4439-B77E-F4C973187511", "versionStartIncluding": "4.17"}], "operator": "OR"}]}], "sourceIdentifier": "security@xen.org"}