CVE-2026-23553 (GCVE-0-2026-23553)

Vulnerability from cvelistv5 – Published: 2026-01-28 15:33 – Updated: 2026-01-28 16:41
VLAI?
Title
x86: incomplete IBPB for vCPU isolation
Summary
In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.
Severity ?
2.9 (Low)
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-665 - Improper Initialization
  • CWE-693 - Protection Mechanism Failure
Assigner
XEN
References
Impacted products
Vendor Product Version
Xen Xen Unknown: consult Xen advisory XSA-479
Create a notification for this product.
Credits
This issue was discovered by David Kaplan of AMD.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:12:31.841Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/27/3"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-479.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.9,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T16:40:38.385640Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-665",
                "description": "CWE-665 Improper Initialization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-693",
                "description": "CWE-693 Protection Mechanism Failure",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:41:14.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-479"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions which had the XSA-254 fixes backported are vulnerable.\nUpstream, that is 4.6 and newer.\n\nOnly x86 systems are vulnerable.  Arm systems are not vulerable.\n\nSystems vulnerable to SRSO (see XSA-434) with default settings use\nIBPB-on-entry to protect against SRSO.  This is a rather more aggressive\nform of flushing than only on context switch, and is believed to be\nsufficient to avoid the vulnerability."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by David Kaplan of AMD."
        }
      ],
      "datePublic": "2026-01-27T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks.  Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Guest processes may leverage information leaks to obtain information\nintended to be private to other entities in a guest."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T15:33:44.782Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-479.html"
        }
      ],
      "title": "x86: incomplete IBPB for vCPU isolation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Using \"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\" on the Xen command line\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\nit is a large overhead."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2026-23553",
    "datePublished": "2026-01-28T15:33:44.782Z",
    "dateReserved": "2026-01-14T13:07:36.961Z",
    "dateUpdated": "2026-01-28T16:41:14.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23553\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2026-01-28T16:16:16.853\",\"lastModified\":\"2026-01-28T17:16:15.990\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the context switch logic Xen attempts to skip an IBPB in the case of\\na vCPU returning to a CPU on which it was the previous vCPU to run.\\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\\nkernel correctly isolating between tasks.  Consider:\\n\\n 1) vCPU runs on CPU A, running task 1.\\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\\n\\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.9,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.4,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-665\"},{\"lang\":\"en\",\"value\":\"CWE-693\"}]}],\"references\":[{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-479.html\",\"source\":\"security@xen.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/01/27/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://xenbits.xen.org/xsa/advisory-479.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/01/27/3\"}, {\"url\": \"http://xenbits.xen.org/xsa/advisory-479.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-01-28T16:12:31.841Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.9, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23553\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-28T16:40:38.385640Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-665\", \"description\": \"CWE-665 Improper Initialization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-693\", \"description\": \"CWE-693 Protection Mechanism Failure\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-28T16:39:51.548Z\"}}], \"cna\": {\"title\": \"x86: incomplete IBPB for vCPU isolation\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This issue was discovered by David Kaplan of AMD.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Guest processes may leverage information leaks to obtain information\\nintended to be private to other entities in a guest.\"}]}], \"affected\": [{\"vendor\": \"Xen\", \"product\": \"Xen\", \"versions\": [{\"status\": \"unknown\", \"version\": \"consult Xen advisory XSA-479\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-01-27T12:00:00.000Z\", \"references\": [{\"url\": \"https://xenbits.xenproject.org/xsa/advisory-479.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Using \\\"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\\\" on the Xen command line\\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\\nit is a large overhead.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the context switch logic Xen attempts to skip an IBPB in the case of\\na vCPU returning to a CPU on which it was the previous vCPU to run.\\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\\nkernel correctly isolating between tasks.  Consider:\\n\\n 1) vCPU runs on CPU A, running task 1.\\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\\n\\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB.\"}], \"configurations\": [{\"lang\": \"en\", \"value\": \"Xen versions which had the XSA-254 fixes backported are vulnerable.\\nUpstream, that is 4.6 and newer.\\n\\nOnly x86 systems are vulnerable.  Arm systems are not vulerable.\\n\\nSystems vulnerable to SRSO (see XSA-434) with default settings use\\nIBPB-on-entry to protect against SRSO.  This is a rather more aggressive\\nform of flushing than only on context switch, and is believed to be\\nsufficient to avoid the vulnerability.\"}], \"providerMetadata\": {\"orgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"shortName\": \"XEN\", \"dateUpdated\": \"2026-01-28T15:33:44.782Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-23553\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-28T16:41:14.803Z\", \"dateReserved\": \"2026-01-14T13:07:36.961Z\", \"assignerOrgId\": \"23aa2041-22e1-471f-9209-9b7396fa234f\", \"datePublished\": \"2026-01-28T15:33:44.782Z\", \"assignerShortName\": \"XEN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.