CVE-2026-23554

The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.1 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://xenbits.xenproject.org/xsa/advisory-480.html
http://www.openwall.com/lists/oss-security/2026/03/17/6
http://xenbits.xen.org/xsa/advisory-480.html

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-23 07:16

Updated : 2026-03-23 15:16

NVD link : CVE-2026-23554

Mitre link : CVE-2026-23554

CVE.ORG link : CVE-2026-23554

JSON object : View

Products Affected

No product.

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2026-23554", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}]}, "published": "2026-03-23T07:16:07.200", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-480.html", "source": "security@xen.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/17/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://xenbits.xen.org/xsa/advisory-480.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "The Intel EPT paging code uses an optimization to defer flushing of any cached\nEPT state until the p2m lock is dropped, so that multiple modifications done\nunder the same locked region only issue a single flush.\n\nFreeing of paging structures however is not deferred until the flushing is\ndone, and can result in freed pages transiently being present in cached state.\nSuch stale entries can point to memory ranges not owned by the guest, thus\nallowing access to unintended memory regions."}, {"lang": "es", "value": "El c\u00f3digo de paginaci\u00f3n EPT de Intel utiliza una optimizaci\u00f3n para aplazar el vaciado de cualquier estado EPT en cach\u00e9 hasta que se libere el bloqueo p2m, de modo que m\u00faltiples modificaciones realizadas bajo la misma regi\u00f3n bloqueada solo emitan un \u00fanico vaciado.\n\nLa liberaci\u00f3n de estructuras de paginaci\u00f3n, sin embargo, no se aplaza hasta que se complete el vaciado, y puede resultar en que las p\u00e1ginas liberadas est\u00e9n transitoriamente presentes en estado de cach\u00e9. Dichas entradas obsoletas pueden apuntar a rangos de memoria no pose\u00eddos por el invitado, permitiendo as\u00ed el acceso a regiones de memoria no intencionadas."}], "lastModified": "2026-03-23T15:16:32.060", "sourceIdentifier": "security@xen.org"}