CVE-2026-23554
Received Received - Intake
Use-After-Free in Intel EPT Paging Causes Unauthorized Memory Access

Publication date: 2026-03-23

Last updated on: 2026-04-10

Assigner: Xen Project

Description
The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-04-10
Generated
2026-05-27
AI Q&A
2026-03-23
EPSS Evaluated
2026-05-25
NVD
CVE-2026-23554
EUVD
EUVD-2026-14382
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen From 4.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-23554 is a use-after-free vulnerability in the Intel Extended Page Tables (EPT) paging code within the Xen hypervisor on x86 Intel systems with EPT support running HVM/PVH guests using Hardware Assisted Paging (HAP).'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because Xen defers flushing cached EPT state modifications until after releasing the p2m lock to optimize performance by batching multiple changes into a single flush. However, the freeing of paging structures is not deferred in the same way, causing freed pages to remain transiently present in the cached EPT state.'}, {'type': 'paragraph', 'content': "These stale cached entries can reference memory regions outside the guest's ownership, which allows unauthorized access to unintended memory areas."}] [1]


How can this vulnerability impact me? :

This vulnerability can lead to several serious impacts including privilege escalation, denial of service (DoS) affecting the entire host system, and information leaks.

Because freed paging structures may still be referenced in cached EPT state, an attacker could gain unauthorized access to memory regions they do not own, potentially compromising system security and stability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The only available mitigation for this vulnerability is to apply the provided patch that fixes the synchronization issue between freeing paging structures and flushing cached EPT state.

This patch is intended for stable branches of the Xen hypervisor and may require updating to the latest stable branch tip before application.

No other mitigations are available, so immediate patching is critical to prevent privilege escalation, denial of service, and information leaks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart