CVE-2026-42489
Received Received - Intake
Xen Domctl Operations Lock Acquisition Unfairness and Permission Bypass

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Xen Project

Description
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-42489
EUVD
EUVD-2026-37889
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen xen From 3.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42489 is a vulnerability in Xen versions from 3.3 onwards involving the system-wide lock used for domctl operations, which are used to create and manage guests. The lock acquisition mechanism does not provide fairness, meaning that a less privileged entity can stall an equally or more privileged entity.

This unfair locking can cause delays or prevent certain operations from proceeding, potentially leading to a Denial of Service (DoS) affecting the entire host system.

Impact Analysis

The vulnerability can allow a less privileged user or domain to stall operations of more privileged users or domains by exploiting the unfair lock acquisition. This can result in a Denial of Service (DoS) condition that affects the entire host system, potentially disrupting services and availability.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Mitigation Strategies

The vulnerability in Xen versions from 3.3 onwards is addressed by applying specific patches provided in the advisory.

No known mitigation exists other than applying these patches.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-42489 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart