Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-23553
PUBLISHED
More InfoOfficial Page
Assigner-XEN
Assigner Org ID-23aa2041-22e1-471f-9209-9b7396fa234f
View Known Exploited Vulnerability (KEV) details
Published At-28 Jan, 2026 | 15:33
Updated At-28 Jan, 2026 | 16:41
Rejected At-
▼CVE Numbering Authority (CNA)
x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Affected Products
Vendor
Xen ProjectXen
Product
Xen
Default Status
unknown
Versions

unknown

  • consult Xen advisory XSA-479
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
N/AGuest processes may leverage information leaks to obtain information intended to be private to other entities in a guest.
CAPEC ID: N/A
Description: Guest processes may leverage information leaks to obtain information intended to be private to other entities in a guest.
Solutions
Configurations

Xen versions which had the XSA-254 fixes backported are vulnerable. Upstream, that is 4.6 and newer. Only x86 systems are vulnerable. Arm systems are not vulerable. Systems vulnerable to SRSO (see XSA-434) with default settings use IBPB-on-entry to protect against SRSO. This is a rather more aggressive form of flushing than only on context switch, and is believed to be sufficient to avoid the vulnerability.

Workarounds

Using "spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv" on the Xen command line will activate the SRSO mitigation on non-SRSO-vulnerable hardware, but it is a large overhead.

Exploits
Credits
finder
This issue was discovered by David Kaplan of AMD.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://xenbits.xenproject.org/xsa/advisory-479.html
N/A
Hyperlink: https://xenbits.xenproject.org/xsa/advisory-479.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/01/27/3
N/A
http://xenbits.xen.org/xsa/advisory-479.html
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/27/3
Resource: N/A
Hyperlink: http://xenbits.xen.org/xsa/advisory-479.html
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-665CWE-665 Improper Initialization
CWECWE-693CWE-693 Protection Mechanism Failure
Type: CWE
CWE ID: CWE-665
Description: CWE-665 Improper Initialization
Type: CWE
CWE ID: CWE-693
Description: CWE-693 Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.12.9LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 2.9
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found