Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-23553

Summary
Assigner-XEN
Assigner Org ID-23aa2041-22e1-471f-9209-9b7396fa234f
Published At-28 Jan, 2026 | 15:33
Updated At-28 Jan, 2026 | 16:41
Rejected At-
Credits

x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:XEN
Assigner Org ID:23aa2041-22e1-471f-9209-9b7396fa234f
Published At:28 Jan, 2026 | 15:33
Updated At:28 Jan, 2026 | 16:41
Rejected At:
▼CVE Numbering Authority (CNA)
x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Affected Products
Vendor
Xen ProjectXen
Product
Xen
Default Status
unknown
Versions

unknown

  • consult Xen advisory XSA-479
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
N/AGuest processes may leverage information leaks to obtain information intended to be private to other entities in a guest.
CAPEC ID: N/A
Description: Guest processes may leverage information leaks to obtain information intended to be private to other entities in a guest.
Solutions
Configurations

Xen versions which had the XSA-254 fixes backported are vulnerable. Upstream, that is 4.6 and newer. Only x86 systems are vulnerable. Arm systems are not vulerable. Systems vulnerable to SRSO (see XSA-434) with default settings use IBPB-on-entry to protect against SRSO. This is a rather more aggressive form of flushing than only on context switch, and is believed to be sufficient to avoid the vulnerability.

Workarounds

Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it is a large overhead.

Exploits
Credits
finder
This issue was discovered by David Kaplan of AMD.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://xenbits.xenproject.org/xsa/advisory-479.html
N/A
Hyperlink: https://xenbits.xenproject.org/xsa/advisory-479.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/01/27/3
N/A
http://xenbits.xen.org/xsa/advisory-479.html
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/27/3
Resource: N/A
Hyperlink: http://xenbits.xen.org/xsa/advisory-479.html
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-665CWE-665 Improper Initialization
CWECWE-693CWE-693 Protection Mechanism Failure
Type: CWE
CWE ID: CWE-665
Description: CWE-665 Improper Initialization
Type: CWE
CWE ID: CWE-693
Description: CWE-693 Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.12.9LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 2.9
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@xen.org
Published At:28 Jan, 2026 | 16:16
Updated At:09 Feb, 2026 | 18:46

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.12.9LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 2.9
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Xen Project
xen
>>xen>>Versions from 4.6.0(inclusive)
cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*
Weaknesses
CWE IDTypeSource
CWE-665Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-693Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-665
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-693
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://xenbits.xenproject.org/xsa/advisory-479.htmlsecurity@xen.org
Mitigation
Patch
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/27/3af854a3a-2127-422b-91ae-364da2661108
Mailing List
Mitigation
Patch
Third Party Advisory
http://xenbits.xen.org/xsa/advisory-479.htmlaf854a3a-2127-422b-91ae-364da2661108
Mitigation
Patch
Vendor Advisory
Hyperlink: https://xenbits.xenproject.org/xsa/advisory-479.html
Source: security@xen.org
Resource:
Mitigation
Patch
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/27/3
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Mitigation
Patch
Third Party Advisory
Hyperlink: http://xenbits.xen.org/xsa/advisory-479.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mitigation
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2024-31142
Matching Score-6
Assigner-Xen Project
ShareView Details
Matching Score-6
Assigner-Xen Project
CVSS Score-7.5||HIGH
EPSS-3.12% / 86.52%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 13:39
Updated-05 Jan, 2026 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
x86: Incorrect logic for BTC/SRSO mitigations

Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html

Action-Not Available
Vendor-Fedora ProjectXen Project
Product-fedoraxenXen
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2018-14678
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.09% / 24.84%
||
7 Day CHG~0.00%
Published-28 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.

Action-Not Available
Vendor-n/aXen ProjectLinux Kernel Organization, IncDebian GNU/LinuxCanonical Ltd.
Product-ubuntu_linuxxendebian_linuxlinux_kerneln/a
CWE ID-CWE-665
Improper Initialization
Details not found