{"api_version":"1","generated_at":"2026-04-22T21:38:59+00:00","cve":"CVE-2026-23554","urls":{"html":"https://cve.report/CVE-2026-23554","api":"https://cve.report/api/cve/CVE-2026-23554.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23554","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23554"},"summary":{"title":"Use after free of paging structures in EPT","description":"The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions.","state":"PUBLISHED","assigner":"XEN","published_at":"2026-03-23 07:16:07","updated_at":"2026-04-10 20:40:33"},"problem_types":["CWE-367","CWE-367 CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/17/6","name":"http://www.openwall.com/lists/oss-security/2026/03/17/6","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://xenbits.xen.org/xsa/advisory-480.html","name":"http://xenbits.xen.org/xsa/advisory-480.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://xenbits.xenproject.org/xsa/advisory-480.html","name":"https://xenbits.xenproject.org/xsa/advisory-480.html","refsource":"security@xen.org","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23554","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23554","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Xen","product":"Xen","version":"unknown consult Xen advisory XSA-480","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"There are no mitigations.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"This issue was discovered by Roger Pau Monné of XenServer.","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"23554","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"xen","cpe5":"xen","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x86","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23554","cve":"CVE-2026-23554","epss":"0.000120000","percentile":"0.015830000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:57"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-03-23T07:32:25.539Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/17/6"},{"url":"http://xenbits.xen.org/xsa/advisory-480.html"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-23554","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-03-23T14:18:54.774466Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-367","description":"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-23T14:19:27.752Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unknown","product":"Xen","vendor":"Xen","versions":[{"status":"unknown","version":"consult Xen advisory XSA-480"}]}],"configurations":[{"lang":"en","value":"Xen 4.17 and onwards are vulnerable.  Xen 4.16 and older are not vulnerable.\n\nOnly x86 Intel systems with EPT support are vulnerable.\n\nOnly x86 HVM/PVH guests using HAP can leverage the vulnerability on affected\nsystems."}],"credits":[{"lang":"en","type":"finder","value":"This issue was discovered by Roger Pau Monné of XenServer."}],"datePublic":"2026-03-17T12:00:00.000Z","descriptions":[{"lang":"en","value":"The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}],"impacts":[{"descriptions":[{"lang":"en","value":"Privilege escalation, Denial of Service (DoS) affecting the entire host,\nand information leaks."}]}],"providerMetadata":{"dateUpdated":"2026-03-23T06:56:52.344Z","orgId":"23aa2041-22e1-471f-9209-9b7396fa234f","shortName":"XEN"},"references":[{"url":"https://xenbits.xenproject.org/xsa/advisory-480.html"}],"title":"Use after free of paging structures in EPT","workarounds":[{"lang":"en","value":"There are no mitigations."}]}},"cveMetadata":{"assignerOrgId":"23aa2041-22e1-471f-9209-9b7396fa234f","assignerShortName":"XEN","cveId":"CVE-2026-23554","datePublished":"2026-03-23T06:56:52.344Z","dateReserved":"2026-01-14T13:07:36.961Z","dateUpdated":"2026-03-23T14:19:27.752Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-23 07:16:07","lastModifiedDate":"2026-04-10 20:40:33","problem_types":["CWE-367","CWE-367 CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.1,"impactScore":6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*","versionStartIncluding":"4.17","matchCriteriaId":"1B149544-81AE-4439-B77E-F4C973187511"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23554","Ordinal":"1","Title":"Use after free of paging structures in EPT","CVE":"CVE-2026-23554","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23554","Ordinal":"1","NoteData":"The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions.","Type":"Description","Title":"Use after free of paging structures in EPT"}]}}}