xen/privcmd: restrict usage in unprivileged domU

Summary

CVE	CVE-2026-31788
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-03-25 11:16:40 UTC
Updated	2026-04-18 09:16:33 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the secure boot feature. The only known case where an unprivileged domU is really needing to use the privcmd driver is the case when it is acting as the device model for another guest. In this case all hypercalls issued via the privcmd driver will target that other guest. Fortunately the privcmd driver can already be locked down to allow only hypercalls targeting a specific domain, but this mode can be activated from user land only today. The target domain can be obtained from Xenstore, so when not running in dom0 restrict the privcmd driver to that target domain from the beginning, resolving the potential problem of breaking secure boot. This is XSA-482 --- V2: - defer reading from Xenstore if Xenstore isn't ready yet (Jan Beulich) - wait in open() if target domain isn't known yet - issue message in case no target domain found (Jan Beulich)

Risk And Classification

Primary CVSS: v3.1 8.2 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS: 0.000210000 probability, percentile 0.057760000 (date 2026-04-21)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	8.2	HIGH	`CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`
3.1	CNA	DECLARED	8.2	HIGH	`CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 4eb245ff0d33b618e097a2c23de5df56d4ad6969 git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 3ee5b9e3de4b8bdd74183d83205481c91a9effc8 git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 87a803edb2ded911cb587c53bff179d2a2ed2a28 git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 1879319d790f7d57622cdc22807b60ea78b56b6d git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 78432d8f0372c71c518096395537fa12be7ff24e git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4 git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b cbede2e833da1893afbea9b3ff29b5dda23a4a91 git	Not specified
CNA	Linux	Linux	affected 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b 453b8fb68f3641fea970db88b7d9a153ed2a37e8 git	Not specified
CNA	Linux	Linux	affected 2.6.37	Not specified
CNA	Linux	Linux	unaffected 2.6.37 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.253 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.203 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.20 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.10 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/3ee5b9e3de4b8bdd74183d83205481c91a9effc8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
www.openwall.com/lists/oss-security/2026/03/24/4	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com
git.kernel.org/stable/c/87a803edb2ded911cb587c53bff179d2a2ed2a28	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
www.openwall.com/lists/oss-security/2026/03/24/5	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com
git.kernel.org/stable/c/78432d8f0372c71c518096395537fa12be7ff24e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1879319d790f7d57622cdc22807b60ea78b56b6d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
www.openwall.com/lists/oss-security/2026/03/24/2	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com
www.openwall.com/lists/oss-security/2026/03/26/4	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com
www.openwall.com/lists/oss-security/2026/03/24/3	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com
git.kernel.org/stable/c/4eb245ff0d33b618e097a2c23de5df56d4ad6969	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/453b8fb68f3641fea970db88b7d9a153ed2a37e8	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
xenbits.xen.org/xsa/advisory-482.html	af854a3a-2127-422b-91ae-364da2661108	xenbits.xen.org
git.kernel.org/stable/c/cbede2e833da1893afbea9b3ff29b5dda23a4a91	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.