CVE-2026-42490
Received Received - Intake
Xen Domctl Operations Unfair Lock Acquisition and Permission Bypass

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Xen Project

Description
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these operations may not be executed in parallel, so a system-wide lock is used. The way that lock is acquired is, however, not providing any fairness. This is CVE-2026-42489. Furthermore, with XSM/Flask in use, the lock acquire will, for some operations, occur ahead of any permission checking. This is CVE-2026-42490.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-42490
EUVD
EUVD-2026-37890
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xen domctl *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability, identified as CVE-2026-42490, involves the way a system-wide lock is acquired during certain domctl operations used to create and manage guests in a Xen environment. When XSM/Flask security modules are in use, the lock acquisition happens before any permission checks are performed. This means that some operations can proceed to acquire the lock without first verifying if the operation is authorized.

Impact Analysis

The vulnerability can impact system security by allowing certain operations to acquire a system-wide lock before permission checks are done. This could potentially lead to unauthorized operations affecting system availability, as indicated by the CVSS score which notes a high impact on availability. However, there is no direct impact on confidentiality or integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart