漏洞总结:XSA-486 (CVE-2026-23558) 漏洞概述 漏洞名称:grant table v2 race in status page mapping(状态页映射中的 grant table v2 竞态条件) 发布日期:2026-04-28 描述:Xen 在调整 grant table 版本(从 v2 变为 v1)时,若与映射状态页(status page)的操作并行发生,会导致竞态条件。这可能导致状态页被释放,但其映射仍存在于客户机(guest)的二级页表(P2M page tables)中。 影响范围 受影响系统:所有 Xen 4.0 及以上版本(3.4 及以下版本不受影响)。 受影响环境:仅限允许使用 grant table v2 接口的 x86 HVM 和 PVH 客户机。x86 PV 客户机不受影响。ARM 架构不支持 grant table v2。 潜在影响:特权提升、信息泄露、拒绝服务(DoS),甚至可能导致整个主机受到影响。 修复方案 补丁应用:应用随公告附带的补丁( 或 )。 缓解措施(Mitigation): 1. 使用 hypervisor 命令行选项 。 2. 对于 HVM 和 PVH 客户机,使用配置选项 。 补丁代码 ``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23558 / XSA-486 version 2 grant table v2 race in status page mapping UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables. IMPACT ====== Privilege escalation, information leaks, and Denial of Service (DoS) up to affecting the entire host cannot be excluded. VULNERABLE SYSTEMS ================== All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and older are not affected. Only x86 HVM and PVH guests permitted to use grant table version 2 interfaces can leverage this vulnerability. x86 PV guests cannot leverage this vulnerability. On ARM, grant table v2 use is explicitly unsupported. MITIGATION ========== Using the "gnttab=max-ver=1" hypervisor command line option will avoid the vulnerability. Using the "max grant version=1" guest configuration option for HVM and PVH guests will also avoid the vulnerability. CREDITS ======= This issue was discovered by Claude Opus 4.6 and diagnosed as a security issue by Rafal Wojtczuk. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsax86.patch xen-unstable - Xen 4.19.x xsax86-4.18.patch Xen 4.18.x - Xen 4.17.x $ sha256sum xsax86* 0b133875069e4d3ba3ba200e00000109a79b4cc15af72e64cfb6585af6599d xsax86.patch 3fa23326a2761eba2e6d1fa052c1d8066901ea6752e073ab248bcffedf9 xsax86-4.18.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public- facing systems with untrusted guest users and administrators. HOWEVER, deployment of the mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Pre-disclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because restricting the available grant table version is a guest visible configuration change, which may lead to re-discovery of the issue. Deployment of this mitigation is permitted only AFTER the embargo ends. AND: Distribution of updated software is prohibited (except to other members of the pre-disclosure list). Pre-disclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decision-making.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQJBAFBACAFgF1EE+N1L8nPHXxgQCny/4isyYfk0K9AFawwQPPMh8+EBR2W4u b3JnAaE1P1P4YRKLZKX9pV/1L8dKLLuawwq7pFqFv0d4wR8L80A+uFwF7 61mqhF4s4a1pF85UjZwCpKfXCB8dG4M0J7W1w+AgY22225f412wF0eKxU HkX3+2y9t9K4w1m0nPyxXxh9p0jNvGMBJPT94d1t0Y1zJm4AXP4mR0R723 1EpylC4161d1f1B/jq79MYv22+2p1d1L77+ewoq17ZMLP4+G8oHnF1T0900 4f9Mq1n770w+1d280m42N06GqYrV9e86A4+db3E6U0W21j2bTEAv+2TBLCH rfr36wT3Lp6a548DP0PJK7091t2pXJ6P6/ur2rr18weeRCY= =1e9B -----END PGP SIGNATURE-----