CVE-2026-23553
Unknown Unknown - Not Provided
Branch Target Buffer Side-Channel in Xen vCPU Context Switch Logic

Publication date: 2026-01-28

Last updated on: 2026-02-09

Assigner: Xen Project

Description
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-09
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23553
EUVD
EUVD-2026-4882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen From 4.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Xen's context switch logic where Xen attempts to skip an Indirect Branch Prediction Barrier (IBPB) when a virtual CPU (vCPU) returns to a physical CPU on which it was the previous vCPU to run. While this skipping is safe for isolation between vCPUs, it prevents the guest kernel from correctly isolating between different tasks. As a result, the Branch Target Buffer (BTB) may retain training from a previous task, potentially allowing information leakage between tasks.

Impact Analysis

The vulnerability can lead to improper isolation between tasks running on the same CPU core, where the Branch Target Buffer (BTB) retains information from a previous task. This could potentially allow a task to infer or leak information about a previously running task, leading to a low-severity information disclosure risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23553. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart