What is CVE-2026-23558?

CVE-2026-23558 is a high-severity vulnerability in Xen, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 7.8/10. Published 2026-05-19.

How severe is CVE-2026-23558?

High severity. CVSS v3 base score is 7.8 out of 10.

Vulnerability in Xen

CVE-2026-23558

The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to…

Vulnerability class: Race Condition

EPSS: 0.000 (1.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Xen — versions consult Xen advisory XSA-486

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

security@xen.org (Patch, Mitigation, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Patch, Mailing List, Third Party Advisory, Mitigation)
af854a3a-2127-422b-91ae-364da2661108 (Patch, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-23558?: CVE-2026-23558 is a high-severity vulnerability in Xen, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 7.8/10. Published 2026-05-19.
How severe is CVE-2026-23558?: High severity. CVSS v3 base score is 7.8 out of 10.