CVE-2026-23554
Received Received - Intake
Use-After-Free in Intel EPT Paging Causes Unauthorized Memory Access

Publication date: 2026-03-23

Last updated on: 2026-04-10

Assigner: Xen Project

Description
The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23554
EUVD
EUVD-2026-14382
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen From 4.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23554 is a use-after-free vulnerability in the Intel Extended Page Tables (EPT) paging code within the Xen hypervisor on x86 Intel systems with EPT support running HVM/PVH guests using Hardware Assisted Paging (HAP).'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because Xen defers flushing cached EPT state modifications until after releasing the p2m lock to optimize performance by batching multiple changes into a single flush. However, the freeing of paging structures is not deferred in the same way, causing freed pages to remain transiently present in the cached EPT state.'}, {'type': 'paragraph', 'content': "These stale cached entries can reference memory regions outside the guest's ownership, which allows unauthorized access to unintended memory areas."}] [1]

Impact Analysis

This vulnerability can lead to several serious impacts including privilege escalation, denial of service (DoS) affecting the entire host system, and information leaks.

Because freed paging structures may still be referenced in cached EPT state, an attacker could gain unauthorized access to memory regions they do not own, potentially compromising system security and stability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The only available mitigation for this vulnerability is to apply the provided patch that fixes the synchronization issue between freeing paging structures and flushing cached EPT state.

This patch is intended for stable branches of the Xen hypervisor and may require updating to the latest stable branch tip before application.

No other mitigations are available, so immediate patching is critical to prevent privilege escalation, denial of service, and information leaks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23554. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart