Vulnerability-Lookup

WID-SEC-W-2026-0229

Vulnerability from csaf_certbund - Published: 2026-01-27 23:00 - Updated: 2026-01-28 23:00

Summary

Citrix Systems XenServer und Xen: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Citrix XenServer ist eine Lösung für das Management, die Konfiguration und den Betrieb virtueller Maschinen auf Servern. Xen ist ein Virtueller-Maschinen-Monitor (VMM), der Hardware (x86, IA-64, PowerPC) für die darauf laufenden Systeme (Domains) paravirtualisiert.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in Citrix Systems XenServer und Xen ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Citrix XenServer ist eine L\u00f6sung f\u00fcr das Management, die Konfiguration und den Betrieb virtueller Maschinen auf Servern.\r\nXen ist ein Virtueller-Maschinen-Monitor (VMM), der Hardware (x86, IA-64, PowerPC) f\u00fcr die darauf laufenden Systeme (Domains) paravirtualisiert.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in Citrix Systems XenServer und Xen ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0229 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0229.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0229 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0229"
      },
      {
        "category": "external",
        "summary": "Xen Security Advisory 479 vom 2026-01-27",
        "url": "https://xenbits.xen.org/xsa/advisory-479.html"
      },
      {
        "category": "external",
        "summary": "Citrix XenServer Security Update vom 2026-01-27",
        "url": "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX695997\u0026articleURL=XenServer_Security_Update_for_CVE_2025_58151_and_CVE_2026_23553"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:0303-1 vom 2026-01-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023931.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:0304-1 vom 2026-01-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023930.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:0306-1 vom 2026-01-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023928.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:0328-1 vom 2026-01-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023973.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:0329-1 vom 2026-01-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023972.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Citrix Systems XenServer und Xen: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2026-01-28T23:00:00.000+00:00",
      "generator": {
        "date": "2026-01-29T07:51:14.964+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0229",
      "initial_release_date": "2026-01-27T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-01-27T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-01-28T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE und European Union Vulnerability Database aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.4",
                "product": {
                  "name": "Citrix Systems XenServer 8.4",
                  "product_id": "T050351",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:citrix:xenserver:8.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "XenServer"
          }
        ],
        "category": "vendor",
        "name": "Citrix Systems"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.18.x",
                "product": {
                  "name": "Open Source Xen \u003c4.18.x",
                  "product_id": "T050352"
                }
              },
              {
                "category": "product_version",
                "name": "4.18.x",
                "product": {
                  "name": "Open Source Xen 4.18.x",
                  "product_id": "T050352-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:xen:xen:4.18.x"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Xen"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23553",
      "product_status": {
        "known_affected": [
          "T002207",
          "T050352",
          "T050351"
        ]
      },
      "release_date": "2026-01-27T23:00:00.000+00:00",
      "title": "CVE-2026-23553"
    }
  ]
}

CVE-2026-23553 (GCVE-0-2026-23553)

Vulnerability from cvelistv5 – Published: 2026-01-28 15:33 – Updated: 2026-01-28 16:41

Title

x86: incomplete IBPB for vCPU isolation

Summary

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB.

Severity ?

2.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-665 - Improper Initialization
CWE-693 - Protection Mechanism Failure

Assigner

XEN

References

URL

Tags

https://xenbits.xenproject.org/xsa/advisory-479.html

Impacted products

	Vendor	Product	Version
	Xen	Xen	Unknown: consult Xen advisory XSA-479

Credits

This issue was discovered by David Kaplan of AMD.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:12:31.841Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/27/3"
          },
          {
            "url": "http://xenbits.xen.org/xsa/advisory-479.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.9,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T16:40:38.385640Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-665",
                "description": "CWE-665 Improper Initialization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-693",
                "description": "CWE-693 Protection Mechanism Failure",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:41:14.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Xen",
          "vendor": "Xen",
          "versions": [
            {
              "status": "unknown",
              "version": "consult Xen advisory XSA-479"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Xen versions which had the XSA-254 fixes backported are vulnerable.\nUpstream, that is 4.6 and newer.\n\nOnly x86 systems are vulnerable.  Arm systems are not vulerable.\n\nSystems vulnerable to SRSO (see XSA-434) with default settings use\nIBPB-on-entry to protect against SRSO.  This is a rather more aggressive\nform of flushing than only on context switch, and is believed to be\nsufficient to avoid the vulnerability."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was discovered by David Kaplan of AMD."
        }
      ],
      "datePublic": "2026-01-27T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the context switch logic Xen attempts to skip an IBPB in the case of\na vCPU returning to a CPU on which it was the previous vCPU to run.\nWhile safe for Xen\u0027s isolation between vCPUs, this prevents the guest\nkernel correctly isolating between tasks.  Consider:\n\n 1) vCPU runs on CPU A, running task 1.\n 2) vCPU moves to CPU B, idle gets scheduled on A.  Xen skips IBPB.\n 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.\n 4) vCPU moves back to CPU A.  Xen skips IBPB again.\n\nNow, task 2 is running on CPU A with task 1\u0027s training still in the BTB."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Guest processes may leverage information leaks to obtain information\nintended to be private to other entities in a guest."
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T15:33:44.782Z",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "url": "https://xenbits.xenproject.org/xsa/advisory-479.html"
        }
      ],
      "title": "x86: incomplete IBPB for vCPU isolation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Using \"spec-ctrl=ibpb-entry=hvm,ibpb-entry=pv\" on the Xen command line\nwill activate the SRSO mitigation on non-SRSO-vulnerable hardware, but\nit is a large overhead."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2026-23553",
    "datePublished": "2026-01-28T15:33:44.782Z",
    "dateReserved": "2026-01-14T13:07:36.961Z",
    "dateUpdated": "2026-01-28T16:41:14.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0229

CVE-2026-23553 (GCVE-0-2026-23553)

Tags

Sightings

Nomenclature